Message-level security is the most fundamental way available to secure your individual request messages. After the initial authentication is performed, the request message itself could contain the OAuth bearer token or the JWTs, based on the implementation. This way, each and every request is authenticated, and the information related to the user could be embedded within these tokens. The information could be as simple as a username along with an expiration timestamp indicating token validity. After all, we don't want to allow a token to be utilized beyond a certain extent of time.
However, it is important to note here that you are free to implement it in such a manner that a lot more information could be embedded and ...