DEV Community

Discussion on: JSON Web Tokens (JWT) vs. SessionID 🔐 ? explained in 2 mins

byrro profile image
Renato Byrro

Symmetric signing with public & private keys is not necessary for JWT. You can use a simple secret-based signing with an HMAC algorithm.

Not hard to manage, even on distributed environments. Most cloud providers offer secret management services that can easily be attached to most or all compute service. They also offer services to abstract away public/private keypair management, if you do need them.

In my experience, JWT is way easier to implement and manage in comparison to sessions. The first is stateless, the former is stateful...

peterdavidcarter profile image
Peter David Carter

Not to mention with JWT becoming the standard on many, many new commercial/open source projects, there is an increasing dev and code base geared towards this tech. There are reasons why you don't necessarily want all your data self-contained, but they're not particularly the reasons mentioned in this article imo.

mjamsek profile image
Miha Jamsek

There is something iffy about using same key for verifying and issuing tokens.