In addition to the documentation pointed in the other answer, you mentioned the use of Go and a problem validating the token. There as an issue with a Go library for JWT that would validate that the audience of the token was exactly the same as the one configured which could be a problem in some situation where multiple audiences were present. You can find more information here.
Another thing to have in mind is that a signed JWT can be represented as multiple base64url-encoded parts separated by a dot character and decoding the base64url data does not by itself guarantee any sort of assurance. In particular, if you need to ensure the token comes from a trusted party you’ll need to validate the signature and not just decode the base64url data.