JSON Web Tokens (JWT) vs Sessions

In essence it’s a signed piece of data in JSON format. Because it’s signed the recipient can verify its authenticity. Because it’s JSON it weights very little. If you are after the formal definition, it’s in the RFC 7519.

Signed data is nothing new – what’s thrilling here is how JWT can be used to create truly RESTful services, with no sessions. As it turns out the the idea has been around for a while. Here’s how it works in physical world – I will draw the analogies straight after:

Imagine you are coming back to your country from holidays abroad. You are at the border and you say – you can pass me through, I’m a homie. All fine and dandy but how can you support your claim? Most probably you are carrying a passport confirming your identity. Let’s assume the border staff has all that is required to tell for sure if the passport is genuinely issued the Passport Office of your country. The passport proves to be in order and they let you through.