😵 in a nutshell, we already have session and ssl, the encryption is done by ssl and the identification is done by the session (or cookies or token). SSL is not about identification but that it is possible with a session that it doesn't require a special tool to configure.
So, why we need JWT? To replace ssl and session/cookies? Not really, we still use ssl and or session.
JWT allows a way to not have to check a central DB for every request to say an API. Albeit not w/o drawbacks as covered by this piece. So instead of -- 1) receive request, 2) look up user's session for info and to determine if it's valid, 3) serve user request -- with JWT you can eliminate step 2.
As the author describes for most small and medium sites, validating a request against a central session store is really not that onerous. It's only when you get into Netflix territory - then you have to worry about how to distribute all that state where it's always available and accurate in real time for any service that needs to authenticate the user.
We’re a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.