> The same is true online. A cryptographic signature that claims “I am acting on behalf of X” means nothing unless it is tied to something real, like a verifiable infrastructure or a range of IPs. Without that, I can simply hand the passport to another agent, and they can act as if they were me. The passport becomes nothing more than a token anyone can pass around.
how does this person think jwt’s work?
Hi, "this person here" Cloudflare will block that request that has a jwt because "it does not come from a person".
What I was trying to say is that even the discussion "is this a bot 100% sure or not" makes no sense.