JWT is incredibly popular.
Desire to make it faster.
Based on these facts, let's talk about one of the attack vectors and how to defend against it.
Let's take a look at the example of incremental IDs.
What should we do in this case?
Use different private keys on different environments.
Do not forget to add the domain to the token, and check the domain on the server.
Close access to stg environment.
Arrange a security audit. Unfortunately, even very experienced developers make the mistakes described here. So you can't do without an independent expert's opinion.