Designing an auth workflow
A well-designed authentication workflow is stateless so that there’s no concept of an expiring session. Users can interact with your stateless REST APIs from as many devices and tabs as they wish, simultaneously or over time. A JSON Web Token (JWT) implements distributed claims-based authentication that can be digitally signed or information-protected and/or encrypted, using a Message Authentication Code (MAC). This means that once a user’s identity is authenticated (that is, a password challenge on a login form), they receive an encoded claim ticket or a token, which can then be used to make future requests to the system without having to reauthenticate the identity of the user.
The server can independently verify the validity of this claim and process the requests without requiring prior knowledge of having interacted with this user. Thus, we don’t have to store session information regarding a user, making our solution stateless...
