Because the when you call

getSession

, the JWT signature is verified. Only if that verification succeeds, will the function return the session object