I can't quite understand how secure JWT tokens are. If a user makes an HTTP request and the JWT token is authorized. Can I fetch the UserId from the JWT (we of course store the user id in the claim). Or is there a possibility that someone can manipulate the JWT token and change his/her userId?
Incase JWT is not a good practice to extract userId. Do we have another way to do that? (.Net core web api)