Where's the "never" option ? Don't forget to handle every case !

JWT is simply a signed token format, OAuth is a wider spec that says how server create and handle those tokens, what clients should do with them (to get one or after they got one), and how they are passed between server and client. So OAuth is a protocol. If you implement the OAuth spec, you can use JWT as a token format. See more details here

To try to simplify it, a JWT is just data (in JSON format, with some standard fields) that is signed cryptographically . It's usually used for authenticating across different services / servers without having each service ask the authentication server if you actually logged in. E.g: imagine a website with two servers: one auth server (for logging in) and one resource server (that has some of your user data you can retrieve or change) First, you log in with your credentials on the auth server (something that holds a database of users and hashed passwords), if you give it valid credentials it will create and give you back a JWT that is signed cryptographically (that means only that server can have created that particular signature , so anyone who knows that sever's public key can check the data was signed by it) Later, when you send a request to the resource server, you join the JWT, and that server can check that it was indeed created by the auth server (by checking the signature) without asking the auth server . ^^ this is the key part. It means the auth server will have a lot less work to do, and it won't be a bottleneck when you website grows