Merge pull request jsonwebtoken#588 from miparnisari/fga

Reference FGA in the introduction

Author: Sambego

views/website/md/introduction.md

@@ -105,6 +105,8 @@ Authorization: Bearer <token>
 
 This can be, in certain cases, a stateless authorization mechanism. The server's protected routes will check for a valid JWT in the `Authorization` header, and if it's present, the user will be allowed to access protected resources. If the JWT contains the necessary data, the need to query the database for certain operations may be reduced, though this may not always be the case.
 
+Note that if you send JWT tokens through HTTP headers, you should try to prevent them from getting too big. Some servers don't accept more than 8 KB in headers. If you are trying to embed too much information in a JWT token, like by including all the user's permissions, you may need an alternative solution, like [Auth0 Fine-Grained Authorization](https://auth0.com/developers/lab/fine-grained-authorization).
+
 If the token is sent in the `Authorization` header, Cross-Origin Resource Sharing (CORS) won't be an issue as it doesn't use cookies.
 
 The following diagram shows how a JWT is obtained and used to access APIs or resources: