I am trying to understand statelessness in relaxing APIs in the context of authentication. Here is the scenario:
- The user is logged in.
- The server verifies the username and password, and generates an opaque access token. Caches certain information related to this token, for example, the expiration time, the user ID, if this token was explicitly invalidated before it expires, etc.
- The token is sent to the client, and the client sends it with each future request.
Fielding's dissertation defines statelessness as:
"… so that each request from the client to the server must contain all the information necessary to understand the request, and cannot take advantage of any context stored on the server. Therefore, the session status is fully maintained on the client ".
In my example, the client sends the token with each request, so the first condition is met. However, my server has a context associated with this session that is stored in the session cache.
Does this make my application state?
If so, is it that true statelessness is achieved only if we are using JWT? I am reflecting on this since JWTs are quite new, so how were architects building truly stateless services before they were invented?