# Stateless Session Management

* Authopia uses stateless sessions. That means that sessions are not stored on the server side. It uses JWT tokens which are cryptographically signed by Authopia.
* For you to verify a token's validity you need to use our provided public key and check the signature which is inside the token. If it’s valid - data in JWT can be trusted.<br>
* JWTs have great security and also it can be validated on the client side only, meaning that you’ll not have major performance decreases for this particular action.<br>
* After Authopia authenticates the user it returns ID token via widget `onSuccess` callback, which is valid for 30 minutes. Also access token and Refresh token are returned as secure HTTP only cookies for further communication with Authopia