It's not clueless or sloppy. They are most likely using https://en.wikipedia.org/wiki/JSON_Web_Token which is a well-defined standard and extremely common in the authentication world because it makes a ton of sense. It lets your authentication server be mostly stateless instead of storing tons of sessions unnecessarily.
wizofaus|3 years ago