Message-level security is the most fundamental method available to secure your individual request messages. After the initial authentication is performed, the request message itself may contain the OAuth bearer token or the JWTs, based on the implementation. This way, each and every request is authenticated, and the information related to the user can be embedded within these tokens. The information could be as simple as a username along with an expiration timestamp indicating token validity. After all, we don't want to allow a token to be utilized beyond a certain time frame.
However, it is important to note here that you are free to implement it in such a manner so that a lot more information can be embedded and utilized for different uses.