1 post
A JWT is a signed data structure, not authentication. The security lives in the verifier, not the token. Where validation is optional, the boundary is gone.
