I'm working on a personal project and use JWT for sessions. The main reason I di... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		grardb on June 13, 2016 \| parent \| context \| favorite \| on: Don't use JSON web tokens for sessions I'm working on a personal project and use JWT for sessions. The main reason I did this is that my understanding is that it makes it much easier to implement sessions on mobile apps. Is this true? If so, should I continue using them? If not, why do I think that, and how can I future-proof my API with mobile apps in mind?

floatboth on June 18, 2016 [–]

Doesn't matter. JWT can be read on the client, but it's not necessary. From a typical client's point of view, the auth token is just a string. Doesn't matter if it's a JWT or a random string. The difference is on the server side — checking a signature vs. looking up in a database.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact