If a user is changing their password, you're going to hit the db there. But don't want to hit the db for authorization?
I have found the benefits of storing a per user string, and a global shared string hashed together gives us the most flexibility with our JWT implementation. In this particular case I'd store a hash of the password to use with the global string and hash them together for a JWT secret.
