JSON Web Tokens is a coded representation of a data structure. This encoded data is not required to be encrypted, but this is acceptable for this.
From the code signature definition:
Code signing is the process of digitally signing executable files and scripts to confirm to the software author and to ensure that the code has not been modified or corrupted since it was signed using a cryptographic hash .
A JWT that has been encrypted typically has two hash values, the first to decrypt the data, the second to verify the code signature. Decoding an unencrypted JWT is a standardized process and can be performed even if the code is not verified. However, it is recommended that you do not use any data in the JWT if the hash of the signature does not match, as this indicates that the data is subject to change.
Not all JWT implementations support encryption; in particular, there is no encryption support in the Microsoft JWT implementation. fooobar.com/questions/329375 / .... Therefore, if you have data that you must provide that remains secret, you must encrypt the data using JWE . The JWT standards documentation shows an example of this process . First, the data is encrypted, then the encrypted algorithm is sent as a JWT payload by string and decoding.