Much simpler: just store session ids in Redis.

I skimmed over the previous articles in this blog and they don't seem to mention the one use case JWTs were made for: having a separate authentication server from the application server. Most developers will only need this for integrating into corporations with single sign in or social logins (sign in with Facebook/google/apple...). There you won't write the authentication server but integrate with them. Session Ids are dead simple to get right securely. Just use them.

The key material is in redis? Seems odd. Should be in fips 140 hsm? Else key can be stolen easy.

Maybe missed something.