Sessions, tokens, JWT, OAuth, and the difference between proving who you are and what you can do.
Authentication proves who you are; authorization decides what you may do. Learn the difference and how it maps to HTTP 401 vs 403.
A JWT is a compact, signed token that carries claims about a user. Learn its three parts, why it is signed but not encrypted, and how to use it safely.
A short-lived access token proves who you are on every request; a long-lived refresh token quietly mints new ones. Learn why the split exists and how to store each safely.