There are several ways to build authentication in micro-services. However very popular is using JWT tokens and OAuth protocol together with OpenID Connect identity layer.
In this tutorial explaining how it can be achieved there is one tip:
Pass by reference when tokens have to leave your network, and then convert them to by-value tokens as they enters your space. Do this conversion in your API gateway.
However it's not clear to me what's reason behind it. I suspect it might be due to some security benefits (not to give client possibility to read any specific info). Because in the JWT token itself it might be info about roles/permission. But for this purpose token can also be encrypted.
Another reason might be that JWT token is too big and in order to don't carry this token every time such approach might be used. (or if JWT token is stored in cookie it has size limits).
I haven't seen any info that JWT token authentication is compromised and it's a bad practice to keep it on client (in browser).
On the other hand I see that Ping Identity is also using pass by reference approach. Can you help me understand the reasoning behind it?