Using a long term token for a static website makes sense. Longer term tokens are more vulnerable to misuse because they do not expire as quickly. To reduce risk of misuse, you can add an "origin" claim to your token's payload object.
const payload = {
iss: teamId /* Issuer: Your Apple Developer Team ID */,
iat: Date.now() / 1000 /* Issued at: Current time in seconds */,
exp: Date.now() / 1000 + 31536000 /* One year after iat */
origin: yourOriginString /* https://yourdomain.com */
};
The value of this must match the Origin header of the browser visiting the page. For example: if we had a map on this page the value would be "https://forums.developer.apple.com".
Using an origin will help ensure that your token can't be used for other websites.