Comparisons

JWT vs Session

Session auth stores state on the server and gives the client an opaque ID (easy to revoke); JWT is a self-contained signed token the server can verify without a lookup (stateless, harder to revoke).

2 min read·7 sections
Open the interactive version → diagrams, practice & more

Overview

After a user logs in, you need to remember them on later requests — and the two dominant approaches differ in where the state lives. Server-side sessions store the session in a database or Redis and hand the browser an opaque cookie; every request looks it up, which makes revocation instant but adds a read per request and shared state to scale. JWTs (JSON Web Tokens) pack the user's claims into a signed token the client carries; the server verifies the signature with no lookup — great for stateless, distributed services — but you can't easily revoke a token before it expires.

JWT vs Session: key differences

JWTSession
StateSelf-contained, none on serverStored server-side (DB/Redis)
VerificationVerify signature, no lookupLookup the session each request
RevocationHard (valid until expiry)Instant (delete the session)
ScalingStateless — easy across servicesNeeds shared session store
Token sizeLarger (claims travel each request)Tiny opaque ID

When to use JWT

Stateless APIs and microservices, cross-service or third-party auth (OAuth/OIDC), and mobile clients — where avoiding a per-request session lookup is valuable. Keep token lifetimes short and pair with refresh tokens.

When to use Session

Traditional web apps and anywhere you need instant revocation and tight control — banking, admin tools — and a central session store is no burden.

Verdict

Use server sessions when you want simple, instantly-revocable auth and already have a shared store — still the safest default for many web apps. Use JWTs for stateless, distributed, or cross-domain auth, but keep them short-lived and add refresh tokens plus a revocation/denylist strategy for sensitive actions. Hybrids (short JWT access token + server-side refresh token) are common.

Common questions

Are JWTs more secure than sessions?

Not inherently — they solve different problems. Sessions are easier to revoke and keep secrets off the client; JWTs avoid per-request lookups but are hard to invalidate early. Security depends on short lifetimes, safe storage, and HTTPS more than on the choice itself.

Why are JWTs hard to revoke?

A JWT is valid until it expires because the server verifies it by signature alone, with no central record to delete. To revoke early you need extra machinery — a denylist, short expiries with refresh tokens, or token versioning — which partly reintroduces server state.

Part of Comparisons on SystemLore — system design explained with 148 deep topics, interactive diagrams, and a build-it-yourself game. Browse the glossary and "X vs Y" comparisons, or build this one →