Question 1

What's the difference between JWT and a session cookie?

Accepted Answer

A session cookie usually contains a random session ID, and the server stores session data in a database or cache. A JWT typically carries claims (like user ID, roles, and expiration) inside the token itself and is digitally signed so the server can verify it without looking up session state. Cookies are often used to store either a session ID or a JWT; the key difference is whether the server must store session state.

Question 2

When should I use JWT?

Accepted Answer

Use JWT when you need stateless authentication/authorization across multiple services (microservices), APIs, or domains, especially with OAuth 2.0/OpenID Connect. JWTs are a good fit when you want APIs to validate requests by checking a signature and claims (issuer, audience, scopes, expiration) without a server-side session store. Avoid JWT for long-lived sessions that require frequent revocation or immediate logout unless you also implement short expirations, refresh tokens, and/or a revocation strategy.

Question 3

How much does JWT cost?

Accepted Answer

JWT itself is a free standard; there is no licensing cost to create or validate JWTs using common libraries. Costs come from the surrounding infrastructure: identity provider fees (e.g., managed IAM/CIAM services), compute time for signing/verification, key management (KMS/HSM), API gateway or load balancer features, and operational costs for token rotation, monitoring, and incident response.

JWT

Definition

Real-World Example

Related Terms

Cloud Provider Equivalencies

Explore More Cloud Computing Terms