> Whether you send a session ID in a cookie or a JWT makes no difference for the app's general behavior
It does make a difference. The cookie is sent by the browser to the server, the JWT is sent in the Authorization: header by the JavaScript code executed by the browser.
Using an opaque JWT token wrapped in cookie is OK. Using a JWT token in the Authorization: header is not OK.
It does make a difference. The cookie is sent by the browser to the server, the JWT is sent in the Authorization: header by the JavaScript code executed by the browser.
Using an opaque JWT token wrapped in cookie is OK. Using a JWT token in the Authorization: header is not OK.