JWT (JSON Web Token) is a compact, URL-safe token format for transmitting identity claims between parties. A JWT contains encoded user data, is signed by the server, and can be verified without a database lookup.
JWTs are self-contained — the token itself carries user data. Session cookies store a session ID that requires a server-side lookup. JWTs are stateless, sessions are stateful.
Token rotation means issuing new access and refresh tokens when refreshing. The old tokens are invalidated. GitHat uses session-based rotation — old sessions are deleted on refresh.
Access tokens: 15 minutes. Refresh tokens: 7 days. MCP server tokens: 5 minutes. Agent tokens: 2 minutes. Short TTLs minimize security risk.
Ship authenticated apps in minutes, not weeks.