the verification will fail because the user will not know the change in signature that is required when they change the contents of the JWT (since they do not have the private signing key).