When using flask_jwt_extended to create and verify access tokens (HS256), I noticed that modifying the last 1–2 characters of the token still results in a successful verification — the request is not rejected by @jwt_required().

I call the API using curl command, and as an example the real token is:
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTc2MDYyMjk2OSwianRpIjoiN2Y0NzgxZDQtOTE2ZS00OWJiLWE0OWYtMmNhZGU3MWYzZmNhIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6Im5hdmlkIiwibmJmIjoxNzYwNjIyOTY5LCJjc3JmIjoiMDBhZGVjNWUtYTQ2NS00NmIwLTkxNTktODU2ZDRlMmIwNTU1IiwiZXhwIjoxNzYwNjIzMDI5fQ.qRmogYLGxISt1klwYxepJCh4wYBYihFlFYN5ADaSt34"

but also it is passed by these tokens:
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTc2MDYyMjk2OSwianRpIjoiN2Y0NzgxZDQtOTE2ZS00OWJiLWE0OWYtMmNhZGU3MWYzZmNhIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6Im5hdmlkIiwibmJmIjoxNzYwNjIyOTY5LCJjc3JmIjoiMDBhZGVjNWUtYTQ2NS00NmIwLTkxNTktODU2ZDRlMmIwNTU1IiwiZXhwIjoxNzYwNjIzMDI5fQ.qRmogYLGxISt1klwYxepJCh4wYBYihFlFYN5ADaSt32",
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTc2MDYyMjk2OSwianRpIjoiN2Y0NzgxZDQtOTE2ZS00OWJiLWE0OWYtMmNhZGU3MWYzZmNhIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6Im5hdmlkIiwibmJmIjoxNzYwNjIyOTY5LCJjc3JmIjoiMDBhZGVjNWUtYTQ2NS00NmIwLTkxNTktODU2ZDRlMmIwNTU1IiwiZXhwIjoxNzYwNjIzMDI5fQ.qRmogYLGxISt1klwYxepJCh4wYBYihFlFYN5ADaSt24",
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTc2MDYyMjk2OSwianRpIjoiN2Y0NzgxZDQtOTE2ZS00OWJiLWE0OWYtMmNhZGU3MWYzZmNhIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6Im5hdmlkIiwibmJmIjoxNzYwNjIyOTY5LCJjc3JmIjoiMDBhZGVjNWUtYTQ2NS00NmIwLTkxNTktODU2ZDRlMmIwNTU1IiwiZXhwIjoxNzYwNjIzMDI5fQ.qRmogYLGxISt1klwYxepJCh4wYBYihFlFYN5ADaSt33"

and etc.