Stateless authentication mechanism:

• Self-contained, only the server that created the token can verify it
  • Stateless backend
  • NO tightly coupled to one backend
• Not require shared session storage (Redis, DB)
• Easy horizontal scaling
• No CSRF risk
• Harder to revoke, need to wait until token expired

Flow

1. Client → Login (credentials)
2. Auth Server → Validate credentials
3. Auth Server → Issue token
4. Client → Store token
5. Client → Send token with every request
6. Resource Server → Validate token (not storing)
7. Access granted