Decode a JSON Web Token, edit the payload and re-sign it with real HMAC-SHA256 (Web Crypto — not faked), then watch a Spring Security resource server validate it: signature → expiry → scopes. Tamper with it or let it expire and watch it get rejected. 100% in your browser.
| Claim | Value | Meaning |
|---|