If you can decode JWT, how are they secure?

Question

If I get a JWT and I can decode the payload, how is that secure? Couldn\'t I just grab the token out of the header, decode and change the user information in the payload, an

Answer 1

Only JWT's privateKey, which is on your server will decrypt the encrypted JWT. Those who know the privateKey will be able to decrypt the encrypted JWT.

Hide the privateKey in a secure location in your server and never tell anyone the privateKey.