That is how jwt’s work. Yes, the user can decrypt it and see the data, but if they modify it, when it gets back to the server it will not match and therefore be invalid.
For this reason do not store any sensitive data in the jwt.
That is how jwt’s work. Yes, the user can decrypt it and see the data, but if they modify it, when it gets back to the server it will not match and therefore be invalid.
For this reason do not store any sensitive data in the jwt.