//because the signature token is invalid, jwt.verify's secret public key does not match jwt.sign // true jwt.sign({'username'}, '123') jwt.verify(token, '123') // false jwt.sign({'username'}, '123') jwt.verify(token, '12345')