Thank you for your comment. Yes, I'm planning to allow running third-party apps on the platform (the exact delivery options and relevant architectural details are still under consideration). My understanding is that using JWTs is the current best practice and much preferred way for authentication vs. the session-based approach. The platform that I plan to build should be both highly scalable and highly secure. I think that session cookies is not the right approach for these requirements, even if I would not need to allow running third-party apps. I'm curious about what people here think about this and hope that they will chime in. (I also would need SSO, external IdP integration, clustering, MFA, maybe passwordless authentication etc., hence my preference for managed services like Auth0. The idea is to focus on my core competencies and outsource important but non-core services to relevant solid providers, based on availability and feasibility, at least, for the near-to-mid term.)

Personally I don't think it's worth worrying about scaling like that until you actually need to. There are other reasons to choose JWTs, but I don't think scalability is a good one early on.

Thank you for sharing your thoughts. I'm not worried about scaling and other aspects, but I do think about them. In my opinion, architectural decisions are the most important ones (across technological dimension) and fixing wrong or suboptimal architectural decisions is costly and/or difficult and sometimes outright not feasible.

True, but you can further break architectural decisions down into those that are easy to change and those that aren't. If something is easy to change you may as well implement the simple version first.