👋 hey I have a fairly dumb question about the security model around access token payload. Let's say I'm using it to encode certain roles that a user can have (admin, user, owner, etc.). This is technically visible to the client right? Like they can see the keys I put in there since the token can be decoded, however they won't be able to set their own keys without the signing key, therefore they can't gain access to sensitive information. Is that the right mental model, or am I completely missing it?