Sessions are how the server knows who is asking. Get this wrong and you leak data. Get it pedantic and you block signups. The product has to be explicit about guests versus accounts.
We follow patterns that line up with OWASP's session management guidance: tight cookies, clear lifetime, and no ambiguous identity on protected routes. Where we issue a JWT-shaped token, RFC 7519 is the shared vocabulary for what "signed claims" means.
So what
If you are reviewing our stack, start with the session table in the data model, then the proxy rules. The user story should read like a short compliance memo, not a single magic string called auth.