Is it enough to do JWT.decode() on the value of the cookie? How does that verify that is the correct issuer(its a external service)