[prabaths]

Well I am not quite clear from your comment how you interpret. This is my point - as also rightly in the JWT RFC.

"JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted."

"JWTs are always represented using the JWS Compact Serialization or the JWE Compact Serialization."

A JWT will only exist as a JWS or JWE. It does not exist by itself - its an abstract concept.

Regarding HMAC - its not recommended for the context of this article. It's not a recommended approach to do authentication with shared keys is in a distributed environment.