Definitely depends on timeline; PAST is a reasonable recommendation gaining momentum as best practice. The recent Show HN annoucement discussed many caveats of authentication tokens:

Show HN: PAST, a secure alternative to JWT | https://news.ycombinator.com/item?id=16070394 (2018Jan:361 points,137 comments)

Downside is that this is very new and there is only a PHP library.