Pick an attack. Remember: the header and payload are just base64url — anyone can read and rewrite them. Only correct server-side verification stops a forged token.
none
alg
'secret'
exp