As per @nicholasio suggestion, we should not store the capabilities and allowed_methods in the JWT and keep them in the code instead. The token should only contain a type, like type=preview. Then, the code should check if type=preview is present and grant the proper capabilities, instead of relying on the information stored in the JWT. That way, no other capabilities can be granted, even if the private keys (SECURE_AUTH_KEY or FRONTITY_JWT_AUTH_KEY) are exposed.

He also suggests that we add a Frontity signature. I guess it could be as simple as generator=frontity because it will be simply used to avoid reading a token that was not generated by us, but that also used SECURE_AUTH_KEY for the private key.

The conversation and full @nicholasio explanation is here: https://community.frontity.org/t/wordpress-preview-support/2419/30?u=luisherranz

We have started working on this on this branch, although it is not working yet: https://github.com/frontity/frontity-embedded/tree/restrict-token-capabilities