B01-JWT tokens with invalid signatures are sent to the protected server. However, since the server does not validate the signatures, it accepts the token and executes the malicious payloads.
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImF0dGFja2VyIiwicm9sZSI6ImFkbWluIiwibWVzc2FnZSI6ImhlbGxvIn0.2QdwhF4codyZHViO2LuUxNuVEgj0-ZD2AbCmgMqzjAoThis way, the attacker now has hold of the server's secret signing key.
B02-JWT token with valid signatures are sent to the protected server. This is with the assumption that the attacker has gotten access to JWT secret key using bruteforce since the server has a very weak secret key and attacker is now able to resign the manipulated JWT tokens.