Yep. I was brought on to a project where the JWT secret was a 6 letter band name. It's the hotness newness in the JS community and there's a lot of tutorials out there that show how easy it is to set up without explaining the risks/trade-offs.