Ahh I see. So the access token we issue isn't a JWT. It's a signed cookie, but not a JWT. So don't treat it as such