***

title: Session vs Token
subtitle: JWTs are bearer credentials; sessions are the revocable server-side record
slug: concepts/session-vs-token
-------------------------------

Gwop auth gives you both an access token and a session because they solve different problems.

## The difference

* the **JWT access token** is what the client sends on authenticated requests
* the **session** is the server-side record behind that token

The token is optimized for fast local verification. The session is optimized for lifecycle control.

## Why both exist

If you only had a token, you could verify signature and expiry locally, but you would not have an immediate way to revoke access before expiry.

If you only had a session lookup, every authenticated request would require a live round-trip.

Gwop gives you both so your backend can choose the right tradeoff:

* verify the JWT locally for the fast path
* use `sid` to perform a live session check when revocation or logout semantics matter

## Practical backend rule

Use the token to establish identity quickly. Use the session when you need revocation-aware auth.

That usually means:

* local JWT verification on every request
* session lookup for sensitive routes, immediate logout, or strict revocation handling

## Related pages

<CardGroup cols={2}>
  <Card title="Sessions" icon="duotone id-card" href="/auth/sessions">
    See the live session API for status and revocation
  </Card>

  <Card title="JWT Verification" icon="duotone badge-check" href="/integration-patterns/jwt-verification">
    See the recommended pattern for local verification plus session-aware auth
  </Card>
</CardGroup>