Use JWS for short-lived secrets
Ie auth codes, which means state isn't required for them and expiry can be built into them.
The key could be generated ephemerally, or retrieved as a secret
This will also allow for tickets, too
Edited by Jamie Tanna