Not checking the signature on every single JWT is the same as storing a password in plain text.