Wouldn't it be easier to sniff the URL than to reverse-engineer the app?
What are the advantages of storing the JWT on a server instead of inside the app?
HTTPS + SSL pinning?
So in order to write an app using MusicKit I have to become a web admin as well?
for example, if your key was compromised you can reject the old one, generate the new one without resubmitting the app to the app store (and leaving users without working app)