Can traditional session based authentications, as used in almost all web frameworks, be replaced by JWT; or was JWT designed with other clients (eg mobile first) in mind?
What are some downsides of using JWT as a replacement for cookie based session authentication?
A JWT can indeed be a replacement for session based authentication since all information that is typically retained in the session, can now be included in a self-contained secured JSON object that is stored by the client. In case the client is a browser, the JWT may even be used as a session cookie in which case the JWT use case collapses with cookie based session authentication. A typical advantage of JWTs over cookies is that JWTs can be used across domains. A downside is that the size of a JWT is typically larger (because it contains more information and because of the crypto involved for protecting its contents).