After initial validation of JWT HS256, all subsequent input secrets (right or wrong) display Signature Verified.
I should be able to validate, remove a character then see Invalid Signature. Re-type that character and the signature is valid again.
Now luckily I used the JavaScript Web Crypto API to double check but JWT.io will just say yes to anything for HS256.
Why?