The token contains all information the server needs to verify the session.
In order to verify the validity of the token, the server needs to know the secret with which the server signed the token in the first place (i.e. when the server created that token). The secret is not stored in the token!
In order to verify the validity of the token, the server needs to know the secret with which the server signed the token in the first place (i.e. when the server created that token). The secret is not stored in the token!
That is true. This is how signing works. „all information“ is indeed misleading in this case. I will edit it.