The original JWT string. Forward to a backend that holds your YAXI API secret (the same key used to mint tickets); verify the signature there and act on the verified payload server-side.