What is the difference between using JWT and the session secret? I thought you could validate the JWT without a request to the server, so I implemented it but realized that a request to the server is needed anyway. So what is the point of using it instead of the session workflow?