For managing sessions we use access tokens + rotating refresh tokens. The access tokens are slightly different from a JWT but closely resemble the way JWTs work