I thought this was a good idea. Pros: fewer database calls. Cons: there is no way to revoke the token (except for changing the secret key). I rewrote the authorization as a middleware. Request handlers no longer need to validate the user.