Every time someone asks me “should I use sessions or JWTs?”, I know what’s actually behind the question. They’ve read a few blog posts, seen the word “stateless” thrown around like it’s automatically better, and now they’re stuck. So let’s settle this properly - not with buzzwords, but with what’s actually happening on the wire and on your server.
Sessions: the “we keep a record at the front desk” approach Think of session-based auth like checking into a hotel. You show your ID once at the front desk, the staff verifies it, and they hand you a room key card. That card doesn’t contain your name, your passport number, or your booking details - it’s just a random number. The hotel’s computer system has all your actual information stored in their database, linked to that card number.
Everyone slaps “RESTful” on their API. Open any docs page, scroll the marketing copy, and there it is — “our clean, RESTful API.” But here’s the uncomfortable bit: by the strict definition, almost none of them actually are. So the question you’re really asking is whether the word still means anything if you break some of the rules. Honestly, that’s where it gets tricky.
Short answer first, because I hate articles that bury it: yes, you can still call it RESTful in everyday conversation, but no, it isn’t a REST API by Roy Fielding’s original definition unless it’s hypertext-driven. Both of those things are true at the same time, and the gap between them is the whole story.