I have angular on frontend and PHP on backend in my web site. I am using this library to create a JWT:
I create the token on the server like this:
$jwt = JWT::encode($payload, JWT_SECRET_KEY);
It has a secret key with which you create the JWT and then it is being checked on any subsequent call to the API, which makes sense. However, I went to jwt.io and just pasted in the JWT and jwt.io was able to decypher it correctly and display the payloads. I don't want this to happen, since that would mean that anyone can just create that token himself and authenticate against the server. What am I doing wrong here, does anyone know?