Adding JWT support to the server. Signing a JSON object as a payload and sending the signed token to the browser on authentication.
I've read that the contents could easily be decoded and read and are only protected against manipulation.
You said, that there's a specification on what should go in the payload. Got a link?
Yeah, check this: https://openid.net/specs/draft-jones-json-web-token-07.html
And you definitely don't want to put anything in the payload that is sensitive. Play around with http://jwt.io/ for a little bit and you can see that the information can be decoded regardless of the secret.
Do you know of any resources that might go through adding a secret to a environment variable? Thanks.