Modern Authentication Patterns: JWT, Sessions, OAuth, and Passkeys
A comprehensive comparison of authentication approaches with implementation guidance and security trade-offs for each.
Authentication is the front door to your application, and getting it wrong has severe consequences. Credential stuffing, session hijacking, token theft, and phishing attacks are everyday threats. At Vaarak, we've implemented authentication systems for healthcare platforms, financial services, and enterprise SaaS. This guide covers the four main approaches, their trade-offs, and when to use each.
Session-Based Authentication
The oldest and simplest pattern: user logs in, server creates a session (stored in a database or Redis), and sends a session ID in an HttpOnly cookie. Every subsequent request includes the cookie, and the server looks up the session to identify the user.
- Pros: Simple, secure (HttpOnly cookies prevent XSS token theft), easy to revoke (delete the session), no client-side token storage concerns
- Cons: Requires server-side session storage (memory/database), sticky sessions for load balancing, doesn't work well for mobile apps or third-party API access
- Best for: Traditional web applications, admin dashboards, applications where server-side control over sessions is important
JWT (JSON Web Tokens)
JWTs are self-contained tokens that encode user information and a cryptographic signature. The server doesn't need to store session state — it verifies the token's signature and reads the embedded claims. This makes JWTs ideal for stateless architectures, microservices, and APIs consumed by mobile apps.
import { SignJWT, jwtVerify } from 'jose';
const SECRET = new TextEncoder().encode(process.env.JWT_SECRET);
export async function createTokenPair(userId: string, roles: string[]) {
const accessToken = await new SignJWT({ sub: userId, roles })
.setProtectedHeader({ alg: 'HS256' })
.setIssuedAt()
.setExpirationTime('15m') // Short-lived access token
.sign(SECRET);
const refreshToken = await new SignJWT({ sub: userId, type: 'refresh' })
.setProtectedHeader({ alg: 'HS256' })
.setIssuedAt()
.setExpirationTime('7d') // Longer-lived refresh token
.sign(SECRET);
return { accessToken, refreshToken };
}
export async function verifyToken(token: string) {
const { payload } = await jwtVerify(token, SECRET);
return payload;
}JWTs cannot be revoked once issued (the server doesn't store them). If a token is compromised, it's valid until expiration. Mitigate this with short expiration times (15 min) and a token blocklist for emergency revocation.
OAuth 2.0 and OpenID Connect
OAuth 2.0 is an authorization framework (granting access to resources), and OpenID Connect (OIDC) is an authentication layer on top of it (proving identity). Together, they power 'Sign in with Google/GitHub/Microsoft' flows and enterprise SSO. Unless you have a very specific reason to build your own identity system, use an OAuth provider.
Passkeys: The Future of Authentication
Passkeys (WebAuthn/FIDO2) replace passwords with cryptographic key pairs tied to biometrics (fingerprint, face) or device PINs. They're phishing-resistant (the key is bound to the domain), user-friendly (biometric authentication is faster than typing passwords), and supported by all major browsers and platforms. We're implementing passkeys as the primary authentication method for all new projects.
Our Recommendation
- New web apps: Passkeys as primary, email magic links as fallback, OAuth for enterprise SSO
- Mobile apps: OAuth 2.0 with PKCE flow, biometric-protected token storage in secure enclave
- APIs: JWT with short expiration + refresh tokens, API keys for service-to-service authentication
- Enterprise: SAML/OIDC integration with identity providers (Okta, Azure AD, Auth0)
Whatever pattern you choose, layer on MFA, rate-limit authentication endpoints, monitor for anomalous login patterns, and have an incident response plan for credential compromises. Authentication security is never 'done' — it's a continuous practice.
Lisa Patel
Security Engineering Lead