try:
            # Decode the JWT and raise an error if the sig is invalid.
            # Make sure to specify the expected algorithm to prevent attacks
            # that use an RSA public key as an HMAC secret key.
            user_info = JWS().verify_compact(