I'm using jwt with NodeJS for my authentication token. Currently, I sign the audience, the IP and the client on to the payload.
I also put the user's guid on the payload so that in subsequent requests, I can find the user using the guid; an example of a guid is bd262477-8b93-4f2c-9dc9-175edf6e0d14.
Is this bad or a security concern? I guess what I'm asking is what information should you put on the payload? Is guid okay or bad?
Can someone provide me a link that explains why (or why not) there is a security concern of what you include on the token?
The entire token should be signed, protecting all the claims in the token body.
Regarding what you can securely put in the token: it depends on where the tokens will be stored "at rest". But generally speaking you should not put sensitive information in the token unless you are going to encrypt the token as well (encryption is a second step, in addition to signing)
I work at Stormpath and we have several articles on the topic:
Where to Store Your JWTs - Cookies vs HTML5 Web Storage
Token Based Authentication for Single Page Apps (SPAs)
Hope this helps!