JSON Web Tokens did not appear overnight.
They were created to solve a growing problem on the web: applications were becoming more distributed, APIs were replacing monolithic servers, and developers needed a secure, standardized way to exchange identity information between different systems.
To understand why JWT exists, it's helpful to look at how authentication evolved over the past few decades.
In the early days of the web, most applications were simple.
A browser communicated with a single server, users logged in with a username and password, and the server stored a session after successful authentication.
The flow was straightforward:
Browser
│
│ Login
▼
Web Server
│
▼
Session Created
│
▼
Session ID Cookie
Every future request included a session cookie.
The server looked up that session in memory or a database and determined whether the user was authenticated.
For many applications, this model still works well today.
As web applications became more complex, a single server was no longer enough.
Applications began exposing APIs that could be consumed by: