Smaller keys, faster everything
Ed25519 public keys are 32 bytes. RSA-2048 public keys are 256 bytes — eight times larger, which matters when you're shipping JWKS to every client that wants to verify. Sign and verify operations are ~10x faster than RSA at equivalent security levels.
No padding oracle to footgun
RSA signatures need padding (PKCS#1 v1.5 or PSS). If your library picks the wrong one, or a verifier accepts both, you have a security hole. Ed25519 has one mode, deterministic, and a fixed signature size. There is no padding decision to get wrong.
Library support is finally there
In 2019 you'd struggle to find an Ed25519 JWT library outside Go. In 2026, every mainstream JOSE library supports it: jose (Node), pyjwt (Python), jose4j (Java), ruby-jose. The decade-old 'just use RS256' advice is stale.