Jon Web Token to authenticate user to use api

I think we can use json web token to authentiate user to use api other than using session. If attacker gain our session he can do all thing, but when he gain token he can do only little thing.
