If you dont have patience for RFCs and specs, just go play with open sources IDP or better start from OpenID Connect client and server library,
and try to integrate it into your "hellohell" app ;)
Very soon you will find out why developers keep building their own IDPs and how simple OpenID Connect can become a full time business
https://www.rfc-editor.org/rfc/rfc7519
It can be signed with HMAC SHA-256 algorithm: {"typ":"JWT", "alg":"HS256"}
Ripping off JWT from surrounding context is a road to hell.
It's worth to study JWT in context of OIDC (OpenID Connect) IDP providers.
You will quickly bump into buzzwords like client (RP), server (OP), PKCE, Token Exchange, mTLS and all kind of Implicit. Hybrid flows.
My biggest regret I didn't go through JWT related RFCs and OpenID Connect specs earlier.
[1]: https://openid.net/specs/openid-connect-core-1_0.html#CodeFl... 3.1. Authentication using the Authorization Code Flow
[2]: https://openid.net/specs/openid-connect-core-1_0.html#Implic... 3.2. Authentication using the Implicit Flow
[3]: https://openid.net/specs/openid-connect-core-1_0.html#Hybrid... 3.3. Authentication using the Hybrid Flow
[4]: https://openid.net/specs/openid-connect-core-1_0.html#Client... 9. Client Authentication
[5]: https://openid.net/specs/openid-connect-core-1_0.html#Refres... 12. Using Refresh Tokens
[6]: https://openid.net/specs/openid-connect-discovery-1_0.html OpenID Connect Discovery 1.0 incorporating errata set 1
[7]: https://www.rfc-editor.org/rfc/rfc7523.html JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
[8]: https://www.rfc-editor.org/rfc/rfc7636.html Proof Key for Code Exchange by OAuth Public Clients
[9]: https://www.rfc-editor.org/rfc/rfc8693.html OAuth 2.0 Token Exchange
[10]: https://www.rfc-editor.org/rfc/rfc8628.html OAuth 2.0 Device Authorization Grant
[11]: https://www.rfc-editor.org/rfc/rfc8705.html OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens"
If you dont have patience for RFCs and specs, just go play with open sources IDP or better start from OpenID Connect client and server library, and try to integrate it into your "hellohell" app ;)
Very soon you will find out why developers keep building their own IDPs and how simple OpenID Connect can become a full time business
Go back here and here http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-fo...
And reflect yourself
Trust nobody