/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for members
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On
    • Resources

      • Overview
        External SSO Connections
        Standalone SSO
    • Integration Guides

      • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth
    • Resources

      • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected AppsBeta
      Setting up Connected Apps
    • Integration Guides

      • Integrate with AI agents
        Integrate with a remote MCP server
    • Resources

      • About Remote MCP Servers
    Sessions
    • Resources

      • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims
    • Integration Guides

      • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links
    • Resources

      • Overview
        Email Security Scanner Protections
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication
    • Resources

      • Overview
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
      Overview
      Strength policies
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0

    Authorization & Provisioning

    RBAC
    • Resources

      • Overview
        Stytch Resources & Roles
        Role assignment
    • Integration Guides

      • Start here
        Backend integration
        Headless frontend integration
    SCIM
    • Resources

      • Overview
        Supported actions
    • Integration Guides

      • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authentication

/

Sessions

/

Resources

/

JWTs vs Session Tokens

Session tokens vs. JWTs

Stytch Member Sessions are identified by a session_token or session_jwt. We will cover the differences between the two options and which may better suit your needs.

Session tokens

  • These are considered opaque because they don't contain any information about the Member or the underlying Session.
  • The session_token should be authenticated via the SessionsAuthenticate endpoint before a Member takes any action that requires authentication.
  • The session_token will be considered invalid if the underlying Session is revoked.

You might use session tokens if...

  • Your security needs require that your app must never accidentally use a revoked Session (i.e. even the small 5 minute grace period of our default JWTs is not acceptable to your app's security).
  • Your access to user-side storage is limited and can only store small values.
  • You don't want to expose the Session data (authentication factors) or metadata (timestamps) in user storage.

JWTs

  • Contains standard claims as well as information about the Stytch Session.
  • JWTs can be authenticated locally without an API call. A session_jwt is signed by project-specific keys stored by Stytch. You can retrieve your project's public key set via our Get JWKS endpoint.
  • Expires after 5 minutes but can be refreshed via our Authenticate Session endpoint for the duration of the underlying Stytch Session.
  • The session_jwt will successfully locally validate until the five-minute expiration mark, even if the underlying session is revoked. You can always refresh more frequently than that if you prefer.

You might use JWTs if...

  • Your application would benefit from the performance improvements of validating user sessions without an external network request.
  • You're using Stytch Sessions to authorize actions outside of your app and that authorization works via JWT.
  • We strongly recommend that you use our Backend SDKs (available in Node, Python, Ruby, and Go) if you are using JWTs. Our libraries handle the logic to authenticate JWTs locally and automatically fall back to the Stytch API when the JWT is expired.

Session tokens

JWTs