Currently, the Identity bean is session scoped.

In order to better support some RESTful and mobile use cases, we need to provide a stateless version of the Identity bean. The reason is because some use cases, like someone writing a RESTful API, don't require a session for each authenticated user, but only check whether the provided credentials are valid or not.

A good example is a REST API providing an authentication endpoint. Where this endpoint only returns a token (JWT, for example) after the authentication. Subsequent calls to other services would just validate the token, instead of relying on the session to know when an client request was previously authenticated or not.