JWT vs session (nodejs)

What is the difference between using JWT and the session secret? I thought you could validate the JWT without a request to the server, so I implemented it but realized that a request to the server is needed anyway. So what is the point of using it instead of the session workflow?

TL;DR

Developers are discussing JWT vs session authentication in Node.js. Developer asked if it's possible to extend JWT expiration period but didn't find a solution. One developer doesn't understand the argument for using JWTs as they can't verify the token without a server request. Another developer mentioned the benefits of using both JWT and session-based authentication in different scenarios. For more information, developers can check the documentation at https://appwrite.io/docs/products/auth/jwt.

In Appwrite, JWTs are useful when you need to securely act on behalf of a user with the same permissions. For example, if your backend app's Server SDK needs to fetch resources, using JWT ensures that it only accesses resources the user has permissions to see. This is more secure compared to using an API key, which would fetch all resources regardless of permissions.

Use JWT: When you need stateless authentication, cross-domain authentication, or when you want to minimize server load.

Use Session-Based Authentication: When you need easier session revocation and have the server resources to handle session storage.

For more info, checkout docs: https://appwrite.io/docs/products/auth/jwt

thanks for the answer. I still don't understand it though.

"JWT ensures that it only accesses resources the user has permissions to see" - well, so does using the session secret. I don't understand the argument since I don't use the API key to get data in both cases.

"use JWT: [...] or when you want to minimize server load." but I don't minimize server load since I can't verify the token without a server request (which would be the whole point of using JWT for me).