SaaS Builder Playbooks

Intro

Choose sessions for browser-based SaaS apps that control their own frontend and backend. Choose JWT only when you need stateless API auth across separate clients or services.

For most MVPs, server-side sessions are simpler, safer, and easier to revoke. JWT adds flexibility but requires explicit handling for expiry, refresh, revocation, storage, and claim validation.

decision tree for browser app vs SPA vs mobile app vs public API vs internal service auth.

Which client type or architecture fits your needs?

Browser app

Use server-side sessions with HttpOnly cookies — best CSRF/XSS balance

SPA

Use short-lived JWTs in memory + refresh token in HttpOnly cookie

Mobile app

Use OAuth 2.0 PKCE flow — no client secret, refresh tokens in secure storage

Public API

Issue API keys or OAuth client credentials — no user sessions

Internal service auth

Diagnose: internal service auth

Quick Fix / Quick Setup

Quick rule: browser app you own end-to-end -> sessions. Public API, mobile client, or separate frontend/backend domains -> JWT or session-cookie API with strict CORS. Avoid JWT as the default just because it sounds modern.

python

# Recommended default for a small SaaS
# Use secure server-side sessions for your web app

# Flask example
from flask import Flask, session
from datetime import timedelta

app = Flask(__name__)
app.secret_key = "replace-me"
app.config.update(
    SESSION_COOKIE_HTTPONLY=True,
    SESSION_COOKIE_SECURE=True,      # True in HTTPS production
    SESSION_COOKIE_SAMESITE="Lax",
    PERMANENT_SESSION_LIFETIME=timedelta(days=7),
)

@app.post('/login')
def login():
    # after verifying password
    session['user_id'] = user.id
    session.permanent = True
    return {'ok': True}

@app.post('/logout')
def logout():
    session.clear()
    return {'ok': True}

# Use JWT only for cross-client APIs, with short-lived access tokens
# and rotating refresh tokens stored server-side or in secure cookies.

Decision defaults:

Browser SaaS dashboard: use server-side sessions
Admin panel: use server-side sessions
Same-domain web app + API: use session cookies if possible
Mobile app: use JWT access tokens + rotating refresh tokens
Public API: use bearer tokens
Hybrid SaaS: sessions for web, tokens for API consumers

What’s happening

Sessions and JWT solve different problems.

Sessions store auth state on the server or in a shared session store. The client usually keeps only a session ID cookie.
JWT stores signed claims inside the token. The client sends that token on each request, often in an Authorization: Bearer header or secure cookie.
Sessions are easier to revoke immediately because the server controls session validity.
JWT access validation can be stateless, but logout and revocation are harder unless you add refresh-token storage, deny lists, or token version checks.
Most small SaaS auth bugs come from using JWT for a simple web app without designing expiry, refresh, logout, revocation, and secure storage first.

High-level tradeoffs:

Topic	Sessions	JWT
Browser web app	Best default	Usually unnecessary
Logout	Simple	Requires design
Forced logout	Simple	Requires revocation/versioning
Horizontal scaling	Needs shared store	Easier for access validation
CSRF risk	Yes, with cookies	Yes, if JWT is in cookies
XSS impact	Lower with httpOnly cookies	Higher if stored in localStorage
Mobile/API support	Less natural	Strong fit
Complexity	Lower	Higher

Feature	Sessions	JWT
Storage	Server-side (Redis/DB)	Client-side (Cookie/LocalStorage)
Revocation	Easy — delete server record	Hard — requires token blacklist
Scaling	Requires shared session store	Stateless — no shared store needed
CSRF risk	Yes — mitigate with CSRF tokens	Lower if not stored in cookies
XSS exposure	Lower with HttpOnly cookies	Higher if stored in LocalStorage
Mobile support	Cookie friction on mobile/API	Native bearer token support
Operational complexity	Session store infra required	Secret rotation & expiry management

comparison table for revocation, scaling, CSRF, XSS exposure, mobile support, and operational complexity.

Step-by-step implementation

Step 1: Classify your clients

Pick the auth model by client type.

Browser-only SaaS dashboard
SPA on same parent domain
SPA on separate domain
Mobile app
Internal service-to-service
Public API consumers

Recommended mapping:

Browser app -> sessions
Same-domain frontend/backend -> sessions or secure cookie auth
Mobile app -> JWT access + refresh
Public API -> bearer tokens
Internal services -> short-lived service tokens or mTLS-backed auth

Step 2: Choose one primary auth transport per client

Do not mix patterns by accident.

Browser auth: session cookie
Non-browser auth: bearer token
Hybrid product: sessions for dashboard, tokens for public API

This avoids bugs where one route expects cookies and another expects bearer tokens.

Step 3: If using sessions, keep session payload minimal

Store only references.

Good:

python

session["user_id"] = user.id
session["auth_time"] = int(time.time())
session["device_id"] = current_device_id

Bad:

python

session["user"] = full_user_json
session["permissions"] = all_permissions
session["billing_status"] = "pro"

Reason: role, billing, and authorization state can change. Re-read critical state from your database or cache.

Step 4: Configure cookies correctly

Use secure cookie defaults.

Flask

python

app.config.update(
    SESSION_COOKIE_NAME="session",
    SESSION_COOKIE_HTTPONLY=True,
    SESSION_COOKIE_SECURE=True,
    SESSION_COOKIE_SAMESITE="Lax",
    PERMANENT_SESSION_LIFETIME=timedelta(days=7),
)

Express session

import session from "express-session";
import RedisStore from "connect-redis";
import { createClient } from "redis";

const redisClient = createClient({ url: process.env.REDIS_URL });
await redisClient.connect();

app.set("trust proxy", 1);

app.use(session({
  store: new RedisStore({ client: redisClient }),
  secret: process.env.SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
  rolling: true,
  cookie: {
    httpOnly: true,
    secure: true,
    sameSite: "lax",
    maxAge: 7 * 24 * 60 * 60 * 1000
  }
}));

Rules:

Secure=true in production HTTPS
HttpOnly=true for session cookies
SameSite=Lax is a safe default for most SaaS
SameSite=None requires Secure=true and is only needed for some cross-site setups

Step 5: If using sessions, use a shared session store when scaling

If you run multiple instances, in-memory sessions will break.

Use:

Redis
database-backed session engine

Redis example:

bash

redis-cli PING

Typical failure mode:

user logs in on instance A
next request hits instance B
instance B cannot find session
user appears logged out

Step 6: Rotate session ID on login

Prevent session fixation.

Flask

Regenerate session after login by clearing old state and issuing a fresh authenticated session.

python

from flask import session

@app.post("/login")
def login():
    session.clear()
    session["user_id"] = user.id
    session.permanent = True
    return {"ok": True}

Express

app.post("/login", (req, res, next) => {
  req.session.regenerate((err) => {
    if (err) return next(err);
    req.session.userId = user.id;
    res.json({ ok: true });
  });
});

Also rotate on privilege changes.

Step 7: Add CSRF protection for cookie-based auth

If the browser auto-sends auth cookies, protect state-changing requests.

Approaches:

synchronizer token
double-submit CSRF cookie
framework middleware

Example double-submit flow:

server sets csrf_token cookie
frontend reads value and sends it in X-CSRF-Token
server compares header to cookie/session value

Express example:

app.use((req, res, next) => {
  if (["POST", "PUT", "PATCH", "DELETE"].includes(req.method)) {
    const csrfHeader = req.get("X-CSRF-Token");
    const csrfCookie = req.cookies.csrf_token;
    if (!csrfHeader || csrfHeader !== csrfCookie) {
      return res.status(403).json({ error: "csrf_failed" });
    }
  }
  next();
});

Step 8: If using JWT, keep access tokens short-lived

Access tokens should be short.

Typical values:

5 minutes
10 minutes
15 minutes

Do not use long-lived access tokens for primary auth.

Example claims:

json

{
  "sub": "user_123",
  "iss": "https://auth.yourapp.com",
  "aud": "yourapp-api",
  "iat": 1713600000,
  "exp": 1713600900,
  "scope": "user"
}

Validate:

exp
iat
iss
aud
sub

Step 9: Add refresh tokens with rotation

JWT without refresh-token lifecycle design is incomplete.

Store refresh tokens server-side:

sql

create table refresh_tokens (
  id uuid primary key,
  user_id uuid not null,
  token_hash text not null,
  expires_at timestamptz not null,
  revoked_at timestamptz,
  replaced_by_token_id uuid,
  user_agent text,
  ip_address inet,
  created_at timestamptz not null default now()
);

Refresh flow:

user logs in
issue short-lived access token
issue refresh token
store refresh token record server-side
on refresh, revoke old refresh token
issue new refresh token
if old refresh token is reused, revoke the token family

This is what makes logout and compromise response possible.

Step 10: Implement logout correctly

Sessions

clear server-side session
clear browser cookie

python

@app.post("/logout")
def logout():
    session.clear()
    resp = jsonify({"ok": True})
    resp.delete_cookie("session")
    return resp

JWT

revoke refresh token
optionally revoke all refresh tokens for that user/device family
clear cookie or client-side memory
accept that already-issued short-lived access tokens may remain valid until expiry unless you add deny-list checks

Step 11: Handle password changes and forced logout

Sessions:

delete all active sessions for user

JWT:

revoke all refresh tokens
bump token_version on user record
verify token_version during token validation if included or mapped through session/token lookup

Example user field:

sql

alter table users add column token_version integer not null default 0;

On forced logout:

sql

update users set token_version = token_version + 1 where id = $1;
update refresh_tokens set revoked_at = now() where user_id = $1 and revoked_at is null;

Step 12: Protect routes consistently

Return consistent status codes.

401 Unauthorized: not authenticated, invalid token, expired session
403 Forbidden: authenticated but insufficient permissions

This matters for frontend handling and API clients.

Step 13: Test edge cases before launch

Test:

access token expiry
session expiry
browser restart
multi-tab logout
password change invalidation
multiple device sessions
revoked refresh token reuse
CSRF failure behavior
secure cookie behavior behind proxy/CDN

Common causes

These are the most common reasons teams choose the wrong model or ship insecure auth:

Using JWT for a simple web app without implementing refresh token rotation and revocation
Storing JWTs in localStorage and increasing XSS impact
Missing CSRF protection when using cookie-based auth
Session cookies not marked Secure in production HTTPS
Sessions breaking across multiple instances because there is no shared session store
Logout only removing client state while refresh tokens remain valid server-side
Role or permission changes not taking effect because stale JWT claims are still accepted
Clock drift causing invalid iat, nbf, or premature exp failures
Wrong SameSite settings blocking expected cookie flows
Not regenerating session IDs on login, allowing session fixation

Debugging tips

Use direct checks instead of guessing.

Inspect response headers and cookies

bash

curl -I https://yourapp.com
curl -v -c cookies.txt -b cookies.txt -X POST https://yourapp.com/login
curl -v -c cookies.txt -b cookies.txt https://yourapp.com/protected

Look for:

Set-Cookie
Secure
HttpOnly
SameSite
expected cookie name
redirect loops

Test bearer-token routes

bash

curl -v -X POST https://api.yourapp.com/protected \
  -H 'Authorization: Bearer <ACCESS_TOKEN>'

Confirm:

token reaches backend
auth middleware reads correct header
401 vs 403 behavior is correct

Decode JWT payload during debugging

bash

jwt decode <token>

If no CLI is installed:

bash

python - <<'PY'
import base64, json
p='<JWT>'.split('.')[1]
p += '=' * (-len(p) % 4)
print(json.dumps(json.loads(base64.urlsafe_b64decode(p)), indent=2))
PY

Check:

exp
iat
iss
aud
sub

Do not treat decoded payload as proof of validity until signature verification passes.

Inspect session store

bash

redis-cli KEYS 'session:*'
redis-cli TTL session:<id>

Useful checks:

does session exist
is TTL updating as expected
is rolling session enabled or disabled by design

Inspect reverse proxy and app logs

bash

grep -R "Set-Cookie" /var/log/nginx /var/log/* 2>/dev/null
journalctl -u gunicorn -n 200 --no-pager
docker logs <container_name> --tail 200

Check for:

proxy stripping headers
app exceptions during login
cookie path/domain mistakes
TLS termination issues affecting Secure cookies

Verify server clock

bash

date -u

Clock drift causes token validation failures.

Debug checklist by symptom

Login succeeds but next request is anonymous

Likely causes:

no shared session store
cookie not set
cookie blocked by Secure on HTTP
wrong cookie domain/path
reverse proxy trust misconfigured
instance restart destroyed in-memory sessions

Logout appears to work but user still accesses API

Likely causes:

refresh token still valid
access token has not expired yet
frontend cleared local state only
backend does not revoke token family

Auth works in browser but fails cross-domain

Likely causes:

SameSite too strict
CORS missing credentials: true
cookie domain mismatch
missing CSRF handling for cookie auth

Related fix references:

Checklist

✓ Pick one primary auth model per client type and document it
✓ Use server-side sessions by default for browser-based SaaS
✓ Use Secure and HttpOnly cookies in production
✓ Add CSRF protection for cookie-authenticated state-changing requests
✓ Rotate session IDs on login and privilege changes
✓ Use a shared session store for multi-instance deployments
✓ Keep session payload minimal
✓ Use short access-token TTLs if using JWT
✓ Store refresh tokens server-side
✓ Implement refresh-token rotation
✓ Revoke refresh tokens on logout
✓ Support forced logout and password-change invalidation
✓ Test 401 vs 403 behavior
✓ Monitor auth failures and suspicious token/session reuse
✓ Verify SameSite, domain, and proxy configuration in production
✓ Review your full launch readiness in the SaaS Production Checklist

Related guides

FAQ

Should I use sessions or JWT for a normal SaaS dashboard?

Use server-side sessions by default. They are simpler to revoke, easier to reason about, and usually require less auth infrastructure for browser-based products.

When is JWT worth the added complexity?

When you need authentication for mobile apps, external API consumers, or distributed systems where bearer tokens are the right transport and you can support refresh, rotation, and revocation.

Is localStorage acceptable for JWT storage?

It works, but it increases XSS impact. For web auth, prefer httpOnly secure cookies or use sessions instead.

Can I force logout all devices with JWT?

Yes, but not with stateless access tokens alone. You need refresh-token revocation, token version checks, or a deny-list strategy.

Do cookie-based sessions require CSRF protection?

Yes. If the browser automatically sends auth cookies, state-changing requests should have CSRF protections unless your design fully prevents cross-site submission.

Are sessions more secure than JWT?

Not automatically. For browser-based SaaS, sessions are usually easier to secure correctly because revocation and logout are simpler.

Can I use JWT in cookies instead of localStorage?

Yes. This reduces XSS exposure, but you still need CSRF protection and a refresh/revocation strategy.

Can I mix both approaches?

Yes. Many SaaS products use sessions for the web dashboard and tokens for public APIs or mobile clients.

Will sessions break when scaling to multiple servers?

Not if you use a shared session store such as Redis or a database-backed session engine.

Final takeaway

Default to server-side sessions for browser-based SaaS apps.

Use JWT only when your client model actually needs token-based auth. The real decision is about revocation, storage, CSRF/XSS tradeoffs, scaling, and implementation complexity.

For most indie SaaS teams:

sessions are the safest default
JWT is a specialized tool, not the default
simpler logout and easier invalidation usually matter more than stateless token validation

If you are still building your auth stack, start here: