You should read up on the basics of JWTs. They have three parts to them, one of those being the signature which can be used to verify the information hasn’t been tampered with. The signature in this case uses the shared secret you can view in the extension dashboard for signing.
So on your EBS you’d receive the incoming request that contains the JWT and form data, and you’d want to first verify the JWT is valid before deciding what to do with the data. There are various libraries that you can use to decode JWTs with your shared secret. You’ll have access to a persistent Twitch userId only if you’ve explictly required that functionality for your extension.
That website’s main page has a great little tool that you can play around with to view all that is contained in the token you receive from onAuthorized, and get a good idea of how JWTs work.