JWT (JASON Web Tokens) uses a digital signature, and I have found (the common use of) this to be insecure. Example: tokens can be intercepted.
OAuth (adding a defined protocol), if you use it with your own self-coded, custom, authentication scheme is much better, but in this case it's security depends upon your own addition to it.
How to use?
To maximize your security, you should code an addition to OAuth or you should one-time-pad encrypt your tokens. Example: Server-Side has a bank of OTPs (for that one single customer) and Client-Side has the same bank of OTPs. Supply the Client-Side directly (in-person) to your clients with your own coded custom installation software.
or
Use OAuth without a standard JWT (write your own) and use the OTP process as described above.
If you are looking into OAuth and (which can use) JWT then you might have need of, or interest in, security.
The actual security is up to you and there is no commonly known encryption that even comes close to OTPs. Example: OTPs can not be mathematically or computationally broken down into a mathematical or computational process.