I'm starting to work with JWT.
I am integrating it into a Web project, therefore I see the HTTPS calls in the console and with it, their answers (in JWT)
I think it's a great feature to obfuscate data, but I see a big security flaw, how is it possible to copy that response, paste it on your website and see the data without putting the signature? It is clear that it makes invalid signature, but you see all the data of the answer.
Is it because I'm doing something wrong? Or is JWT really so insecure?