JWT is created with a secret key and that secret key is private to you which means you will never reveal that to the public or inject inside the JWT token. When you receive a JWT from the client, you can verify that JWT with this that secret key stored on the server .
Read moreHow do I verify a JWT?
To validate a JWT, your application needs to: Check that the JWT is well formed. Check the signature. Check the standard claims.
Read more