The JWT contains all the data you need, the fields you have access to are shown in the docs: https://dev.twitch.tv/docs/extensions/reference/#jwt-schema
The JWT includes a signature which means that only those with your extensions secret (your EBS and Twitch) can sign the JWT, meaning a user can’t edit any values without it failing verification. For a NodeJS EBS you can see the Hello World example and how they handle verifying the secret: https://github.com/twitchdev/extensions-hello-world/blob/master/services/backend.js
Simply put, you use the jsonwebtoken module to verify/sign tokens, and you need to make sure you don’t attempt to use your secret as a string or otherwise it will fail, you need to first change your secret from a string to a Buffer type using const secret = Buffer.from(YourExtensionSeret, 'base64');