Session vs Token
JWTs are bearer credentials; sessions are the revocable server-side record
Gwop auth gives you both an access token and a session because they solve different problems.
The difference
- the JWT access token is what the client sends on authenticated requests
- the session is the server-side record behind that token
The token is optimized for fast local verification. The session is optimized for lifecycle control.
Why both exist
If you only had a token, you could verify signature and expiry locally, but you would not have an immediate way to revoke access before expiry.
If you only had a session lookup, every authenticated request would require a live round-trip.
Gwop gives you both so your backend can choose the right tradeoff:
- verify the JWT locally for the fast path
- use
sidto perform a live session check when revocation or logout semantics matter
Practical backend rule
Use the token to establish identity quickly. Use the session when you need revocation-aware auth.
That usually means:
- local JWT verification on every request
- session lookup for sensitive routes, immediate logout, or strict revocation handling