The JWT_TOKEN contains the user info of a user and should be protected.
It is intended to only the application that sent the client-id and client-secret and should not be passed around to other applications. To make ForwardAuth the only application able to read the session token the whole token should be encrypted. Other applications should get the needed user info from HTTP-headers set by ForwardAuth or use the User info endpoint #51

Maybe implement a feature toggle for encryption so that its easier for local development and if someone wants to use an unencrypted JWT_TOKEN anyways to pass the user profile around.

See https://tools.ietf.org/html/rfc7516 for JWE specification