OAuth2

Session cookie (or web taken) vs JWT based Authentication


In both cases client/brower have "cookie". The content of the cookie is different.

In case of session cookie, it is session id. Server knows the session id and the corresponding user id.

In case JWT, (also called bearer token), the token itself has the encrypted user id

What is JWT (Json Web Token)?

JWT is an open standard used to share security information between two parties — a client and a server. Each JWT contains encoded JSON objects, including a set of claims.

JWT are self-contained . This information can be verified and trusted because it is digitally signed.


A JWT is a string made up of three parts, separated by dots (.), and serialized using base64. In the most common serialization format, compact serialization, the JWT looks something like this: xxxxx.yyyyy.zzzzz.

OAuth Steps

  1. Authentication Provider creates JWT at the request of a client and signs it so that it cannot be altered by any other party

  2. The client will then send this JWT with its request to a REST API. The REST API will verify that the JWT’s signature matches its payload and header to determine that the JWT is valid. When the REST API has verified the JWT, it can use the claims to either grant or deny the client’s request.