The decade-old JWT vs sessions fight has a boring answer: both, deliberately. Short access JWTs, rotating refresh tokens, httpOnly cookies, and a real revocation story.