如果像角色这样的声明存储在不受保护的 localStorage 中，是什么阻止我去 firefox 控制台并更改令牌，例如让自己成为管理员?

If claims like roles are stored in localStorage unprotected, what's stopping me to go to firefox console and change the token, e.g. make myself an admin?

因为JWT 已签名，因此在验证期间将检测到对内容或签名的任何更改

数字签名，像这样的 JWT 令牌的第三部分 hhhhhh.ppppppp.ssssss 是使用服务器私钥创建的，是您验证令牌发行者身份的方式并且它没有被改变

The digital signature, the third part of a JWT token like this hhhhhh.ppppppp.ssssss is created using server private key, and is the way you can verify the identity of the issuer of the token and also that it has not been altered

如果您想隐藏有效负载，JWT 规范允许使用加密(请参阅 RFC).如果auth0不支持，你在jwt.io

If you want to hide the payload, the JWT specification allows use encryption (see Json Web Encryption-JWE at RFC). If auth0 does not support it, you have a lot of libraries listed in jwt.io