Auth on the Frontend (Part 1): Authentication — JWT, Sessions, and Security

Authentication on the frontend involves storing credentials or tokens, sending them with requests, and handling refresh and logout. JWT and session cookies have different tradeoffs; storing tokens securely and refreshing correctly are critical. This post covers patterns senior frontends use and the security implications.

JWT vs session cookies

JWT (JSON Web Token): The server signs a payload (e.g. user id, expiry) and returns it. The client sends it on each request (e.g. in a header or in a cookie). The server verifies the signature and doesn't need to store session state. Pros: Stateless, scales across servers. Cons: Hard to revoke before expiry (unless you maintain a blocklist); payload is visible if stored in localStorage (XSS can steal it).