[keycloak-user] Sessions vs Tokens

I'm not sure how best to describe this but I have seen times when I called a secured endpoint (secured with spring security adapter) but a token was not passed and I was able to gain access. The first time I went to a secured endpoint I had to log into keycloak to authenticate, but then on each request, only a session id was passed and no JWT. Is this the standard behavior? If there is no JWT, where are the claims read from? Matt