I asked ChatGPT, wheter it's bad or not to send jwt in the request body, it says:
No, it is generally not recommended to send JWT (JSON Web Token) tokens in the request body. JWT tokens are primarily designed to be sent in the request headers, specifically in the "Authorization" header using the "Bearer" scheme.
Security: Sending tokens in the request body exposes them to potential logging, caching, and other security risks. For example, if the server logs incoming requests (which is a common practice), the token will be recorded in plain text, which could lead to unauthorized access if the logs are compromised.
Is this answer valid?
It's true that Authorization headers aren't typically going to show up in a log somewhere, or will be sanitized if done correctly. The Authorization header is usually where things like auth tokens go, and it makes sense to use it if you can.
It's also true that you may have legitimate reasons to include that JWT in the request body, perhaps even in the URL itself. It's up to you to weigh out the risks and benefits here. A JWT doesn't do anything on its own... it depends entirely on what you're putting in it and how you're using it. Also, it's up to you to audit how your logging works and come up with a scheme that is secure for your specific use cases.
Sorry there's no solid black or white answer here... it just depends on your specific use case and needs.