Ahh, I see, yeah so it's secure. Got it And also if I have application logic based on userType: 'admin' (which is in jwt payload) is this insecure, as for example I can have some sensitive routes that only work for admin (like changing user account), is it dangerous to decide this from jwtPayload, if it is where should I put 'userType'