JWT

JSON Web Tokens provide stateless authentication without server-side session storage. The token carries the claims, the signature proves integrity, and any service with the secret can verify it independently. For microservices and API authentication, JWTs eliminate the shared session store.

Keep the tokens short-lived and use refresh tokens for session extension. Don't store sensitive data in the payload — it's base64-encoded, not encrypted. Used correctly, JWTs are the right authentication mechanism for API-first architectures.