One of the values of putting something into writing is that it clarifies your thinking a bit. But the answer is pretty clearly JWT, and Passport does a fair enough job of token management, that if we override it and add a few more fields to the token, we might be able to stick with passport rather than pulling it and just moving fully to JWT.

Otherwise, we'll pull passport and just use a JWT throughout the system, with a short duration token refreshed regularly. We can do this because the keepalive heartbeat service will drive the refresh automatically for us.

So if anyone else has the same thoughts (and they asked and un-answered all over the web) the answer is that Passport provides a midsized solution, but if you must scale to many services, then use JWT plugins and create the token contents that you need.

At least that's where we ended up.