Why JWT better then store credentials?

Question

Why the JWT important more then hashed password?

So I've read some of articles about the JWT mechanism and I'm pretty sure I can say that I've got the concept.

We do have secret key in the server side. We get base64encrypted (heade.payload) - and with the whole thing we verify if the token we got by the client is valid.

Well, so far so good. But, since the client can read the payload (by decode64..), he can change the payload and also get verified with some else payloads.

Let's say I have a verified token, this token also stored in my db in "x" user. Now I want to change the email of my user (user "x"). Can I (as the system developer) trust only about the matched tokens (db token in user "x" and the token the client sends)? Or do we need more extra check with email+password for example? The thing is the token value no longer valid after X hours?

I saw examples which the client, after he authenticate via JWT - needs also to provide email & password to truly check if the credentials are correct... So what we've done here more then just add some extra weak barrier before the real authentication by the db and client credentials?

And if the token is for encrypt the user credentials - since anyone's who got the signed token can read the payload, why not just we save directly the credentials (email+password) with cookie or something like this?

What do I missing here?

################

EDIT -

To be more clarify: So let's say there is such a scenario: A user enters his private personal area to view the messages he has received. It sends an API request to "/api/my-profile" with the TOKEN which is "header.payload.secret". The system does verify - ok by now, the user did provide a proper TOKEN. Now my question, is -

1. Can the system trust the user here (because the TOKEN was authenticated), and retrieve the private messages for him according to the PAYLOAD that the user requests (say {user_id: 10})?

or

2. The system, even though it has verified that the TOKEN is valid, needs further verification that the user is indeed who he says he is (user_id = 10)? And to verify this I think she must get the user's encrypted password with id / email (something unique)?

From my understanding Case 2 is correct because surely in Case 1 there is a serious security issue (since any user, even if verified, can request details of another user).

--

Here is 2 verified JWT with only changed the payload: 1 - https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMTAiLCJwYXNzd29yZCI6ImFiYyJ9.BoiVLHPTCtpcp7P9BIan9ZptJHvxUlOmoAoAUqHvjJE

2 - https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMTUiLCJwYXNzd29yZCI6Im5vdC1tYXR0ZXIifQ.i6TkRDnyqcDsgwbFnG9QfSI1Wayj5YmwEOqydxU2MMo

Hope my question is more understood here

Answer 1

The token is not for encrypting your credentials. Is all about giving access to API's and authenticating the user.

The benefit with using JWT tokens istead of username/password is that it is easier to refesh the JWT token than having all your clients to update username/password.

No-one receiving or seeing the JWT tokens will not be able to modify it, because they do not have the private key that the tokens were signed with. They can only validate it, using the public key.

Also with openid-connect, you delegate the authentication to some trusted service that do the authentication for you and you use JWT-token to transfer the identity of the user (IDToken) and access tokens to get access to APIs.