I am using Laravel backend, generated and downloaded here - https://auth0.com/docs/quickstart/backend/laravel/01-authorization
I’ve created a new middleware and now I check permissions for every protected route (it is identical to CheckScope, the only difference is that it checks not scope but permissions ncoded in accesstoken).
One thing I can’t understand is how your php library integrated to Laravel verify JWT? I edit secret in .env and I get no errors. I edit all auth0 settings (to wrong) in .env and I get no errors again. If there is no any checking, then any user can send JWT with necessary permission and API will provide data.
Should I somehow verify signature and how? Why are those settings needed?