I read that having a JWT system vs a simple token-based system eliminates token lookups in a database. But I don't get how that's possible. If it uses HMAC for a signature, doesn't the server need to look up the secret key for every client to verify their signature? Or do all clients use the same secret key? (sounds very insecure). If it uses an asymmetric algorithm, doesn't it still need to look up one of the keys to verify the signature?