This week, a recurring debate on Hacker News about using JSON Web Tokens (JWTs) as session tokens resurfaced, highlighting divergent views on their efficacy and security. The consensus among participants is that infrequently-refreshed, stateless JWTs are unsuitable as session tokens due to their irrevocability, and combining long-lived JWTs with a stateful database-backed blocklist is redundant. However, frequently-refreshed, stateless JWTs are cautiously accepted due to their short expiration acting as a revocation mechanism, although database-backed, stateful session tokens are easier and sufficient for most cases. Despite the complexity and minimal benefits of frequently-refreshed JWTs for most applications, their usage is rising due to trends emphasizing efficiency and the need for synchronized sessions in modern software integrations. Proponents argue for embracing JWTs by improving their implementation, particularly by ensuring short expiration times to enhance security against XSS attacks. The discussion underscores the importance of optimizing speed and integration capabilities while addressing security concerns in web development.