23Şub
Why can’t I generate my own JWT to fake authentication?
JWT tokens are self-contained. If a valid JWT token contains username and the token is valid, then the endpoint will think user is authenticated.
The token can be decoded and all fields seen.
What if I generate token on my side and fill it with data I saw, how will the system distinguish my token from it's own ones?