I think the original motivation was tied to when people were trying to build unified APIs for every kind of client: web, mobile, m2m. Cookies and sessions werent always available afaik.
I was under the impression sessions were just arbitrary tokens backed by some server-side logic (or perhaps a database)
At its core isn't it possible to just take an object, encrypt it with a secret, store it client-side somewhere (cookies, localstorage, filesystem, printed-on-paper, whatever), send it back to the server, and it decrypts it?
I don't quite see the difference (or benefits) of JWTs over something like that.
The difference between JWT and session is where the state is stored.
For session, you need a centralized backend to access the data stored in the session. For JWT, you only need to verify the signature of the token to trust the data stored in JWT.
JWT solves the problem of having multiple separated service that need to share data.
Storing state in JWT is easy way to share state, such as user permission, between different server.
But state in JWT can be outdated due to permission changes and you it's not possible to just expire it as it's stored in client.
To solve the problem, more complex auth setup is needed such as using short lived JWT, refresh token, which feels more like a bandaid to make JWT sufficiently secure
