The Shift From Cookie to Token Authentication
Cookie-based sessions worked beautifully for web browsers, but they had problems when apps moved beyond the browser – to mobile, APIs, and microservices.
Traditional sessions don't scale well across devices, servers, or APIs.
That's where token-based authentication came in.
Instead of storing data on the server, tokens let the client carry proof of authentication
The Core Idea
A token is digitally signed piece of data that proves the user is who they claim to be.
Think of it as:
“Here's my ID card, signed by the government – you can trust it's read without calling them."
That's exactly what JWTs do.
What Is a JWT?
A JSON Web Token (JWT) is a compact, self-contained, digitally signed token used to verify identity and authorization.
Structure
JWTs have three parts separated by dots (.):
headers.payload.signature1 Header:
Describe how the token is signed.
{
"alg": "HS256",
"typ": "JWT"
}2 Payload
Contains claims – statements about the user.
{
"userId": 42,
"role": "admin",
"exp": 1731556200
}Common claims:
| Claim | Meaning |
| sub | Subject (user ID) |
| iat | Issued at |
| exp | Expiration time |
| iss | Issuer |
| aud | Audience |
3 Signature
Used to verify the token hasn't been altered.
For example, using HMAC SHA256:
HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret
)If even a single character in the payload changes, the signature fails to verify.
How JWT Authentication Works
Let's walk through the flow.
Step 1: User Logs In
The client sends login credentials:
POST /login
{
"username": "alice",
"password": "secret"
}Step 2: Server Verifies & Issues Token
If credentials are correct:
{
"token": "eyJhbGc....."
}This token is signed with a secret key (or private key).
Step 3: Client stores the token
Instead of cookies, the client stores it in:
- Local Storage (for SPAs)
- Secure Storage (for mobile apps)
- Memory (for short-lived tokens)
Step 4: Client Sends Token with Each Request
Now, every request includes the token in Authentication header.
GET /api/profile
Authorization: Bearer eyJhbGc....Step 5: Server Verifies Token
The server:
- Decodes the JWT
- Verifies the signature using the same secret
- Checks if it's expired
If valid -> access granted
If invalid -> access denied
Step 6: Token Expiry
JWTs expire after a short time (e.g., 15 minutes).
Clients can use a refresh token to get a one without re-logging in.
JWT vs Session-Based Auth
| Feature | Session-Based | Token-Based |
| Storage | Server | Client |
| State | Stateful | Stateless |
| Scalability | Hard (needs session storage) | Easy (no server memory) |
| Logout | Easy (invalidate session) | Hard (token lives until expiry) |
| Cross-domain | Hard (cookie restricted) | Easy (mobile + API) |
Why JWT Took Over
JWTs are:
- Stateless (no DB lookup)
- Portable (work across APIs, apps, and devices)
- Self-contained (carry all needed info)
- Fast (verification only needs a secret)
They power OAuth 2.0, OpenID, Firebase, Google APIs, AWS Cognito, and countless others.
Leave a comment
Your email address will not be published. Required fields are marked *