[aaronmu]

What's the difference between an opaque token and a cookie that has a single session identifier in it? 'y know - the way we did it in the 90's.

[senko]

Cookie is a mechanism to store and send tokens to the server, which is orthogonal to what the token is.

You could store JWT in a cookie, or use opaque token in a HTTP header, for example.

That said, the session cookies we loved back in the day were usually opaque tokens, yeah.

[cnorthwood]

There isn't one - the session identifier is an example of an opaque token

[mooreds]

For a normal web app, not too much.

As sibling comments point out, an opaque token can be stored elsewhere (though, to be fair, the session identifier which is in that cookie can be placed elsewhere too).

Cookies are limited in where they can be sent (https://developer.mozilla.org/en-US/docs/Web/Security/Same-o...).

[ffo]

The cookies is mainly used to identity the user (e.g. his session and prior authentication), while the tokens are used to forward something to proof that the an application wants to access one or multiple apis.

[tgv]

So if you need the client to pass on sensitive (authentication/authorization) information to another party without that party having access to the original provider of that data (except its public key, I suppose). Then JWT is a usable format, with a lot of support.

[ffo]

Well, yes ;-)