JWT tokens are self-contained. If a valid JWT token contains username and the token is valid, then the endpoint will think user is authenticated.
The token can be decoded and all fields seen.
What if I generate token on my side and fill it with data I saw, how will the system distinguish my token from it's own ones?
Simple: A JWT must be properly signed or encrypted with the private key of the authenticating server.
If you don't have that private key then you would have to sign/encrypt with your own private key. You can do that, and thus generate a valid JWT, but the application you send it to will easily be able to tell it was signed with the wrong key, and thus will refuse to accept it (assuming that there aren't mistakes made during the JWT validation process).
What if I generate token on my side and fill it with data I saw, how the system will distinguish my token from it's own ones?
Sure. If you know the secret the server uses, you can do this. If the secret is not secret anymore, the security model of JWT Tokens are fundamentally broken, and nothing can rescue it.
Typically HMAC SHA256 is used for authentication:
JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
