https://datatracker.ietf.org/doc/html/rfc7518#section-3.6
If you use "none", anyone can forge a JWT that says anything. I always say:
* You should have some other way of verifying that the JWT was unchanged by the client, like say being on a private network or using client TLS certs
and
* You should benchmark and know that the signing overhead is a significant source of performance degradation in your system.
Otherwise, sign your JWTs! :)