There are usually two ways of authenticating an incoming request for accessing an API resource.<p>1. The authentication key or password can be passed through a JSON field or authorization header. This can be compared to the key already stored in session storage. The simplest approach is `authorizationKey == session('key')`. This requires you to have session storage feature on the backend.<p>2. The JWT approach relieves you from session storage but then it needs to compute the signature verification (HMAC/RSA/ECDSA) for each incoming API request.<p>Thus, the first approach requires you to have session storage, and the second approach doesn't need session storage but at the cost of extra computing overhead for performing cryptographic calculations.<p>Considering that RAM is usually cheaper than processing power, it makes far more economic sense to use the former approach everywhere for authentication than the latter. Especially as you start scaling the app to millions of requests, that's when the VPS hosting bill amount starts rising and the approach will need optimization.
Most of the value from JWTs is from not having to access storage to verify authentication. If you have billions of sessions, it isn't easy to just have one server respond to millions of requests per second. Also it's easier to share authentication information between companies using JWTs. IE: cloudflare access includes a JWT token with forwarded requests.