For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Apply for AccessDashboard
Guides
Guides
  • Get Started
    • Introduction
    • Quickstart
  • Agent Identity
    • Overview
    • Create Auth Intent
    • Exchange for JWT
    • Sessions
    • JWKS
  • Agent Checkout
    • Overview
    • Create an Invoice
    • List Invoices
    • Get Invoice
    • Cancel Invoice
  • Integration Patterns
    • Overview
    • Shared SDK Client
    • Wallet Auth
    • JWT Verification
    • Subscription Checkout
    • Webhook Verification
  • Concepts
    • Two Invoice IDs
    • Wallet Identity
    • Session vs Token
    • Webhook-Driven State
  • Webhooks
    • Overview
    • Verify Signatures
  • Reliability
    • Errors
    • SDK Reference
Apply for AccessDashboard
On this page
  • The difference
  • Why both exist
  • Practical backend rule
  • Related pages
Concepts

Session vs Token

JWTs are bearer credentials; sessions are the revocable server-side record

||View as Markdown|
Was this page helpful?
Edit this page
Previous

Wallet Identity

Next

Webhook-Driven State

Built with

Gwop auth gives you both an access token and a session because they solve different problems.

The difference

  • the JWT access token is what the client sends on authenticated requests
  • the session is the server-side record behind that token

The token is optimized for fast local verification. The session is optimized for lifecycle control.

Why both exist

If you only had a token, you could verify signature and expiry locally, but you would not have an immediate way to revoke access before expiry.

If you only had a session lookup, every authenticated request would require a live round-trip.

Gwop gives you both so your backend can choose the right tradeoff:

  • verify the JWT locally for the fast path
  • use sid to perform a live session check when revocation or logout semantics matter

Practical backend rule

Use the token to establish identity quickly. Use the session when you need revocation-aware auth.

That usually means:

  • local JWT verification on every request
  • session lookup for sensitive routes, immediate logout, or strict revocation handling

Related pages

Sessions

See the live session API for status and revocation

JWT Verification

See the recommended pattern for local verification plus session-aware auth