Hacker News new | past | comments | ask | show | jobs | submit login

I think you're thinking of a different attack vector, namely, forging a new JWT.

Whereas the parent poster said "what would happen if I stolen his token" (for example, via XSS). So in that case, it's a legit token in the hands of a bad actor, and the signature would be still be valid as far as the backend could tell.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact