I'm building a Next.js site with headless Wordpress and will use the REST api or maybe the graphQL alternative. My question is if authorization with a JWT token is necessary for just fetching public posts?
I have tried it and it seems to make requests very slow plus creates overhead in terms of storing into a cookie etc.
In the Next.js wordpress-cms example they only use authorization optionally to be able to get unpublished posts.
So in a nutshell: do I need to implement authorization with a JWT token for every request to make my site secure or is this not necessary when building a next.js site with headless wordpress?
You don't need to implement any kind of authorization to serve public content. You may need authorization to serve private content and/or to publish data just like a normal WordPress Setup. Compared to REST, GraphQL provides lighter and cleaner data it might be a better solution for an Headless WP most of the time..