Verifies the JWT and returns its parsed payload object. If verification fails, an error will be thrown.

Verification will fail if:

• The header isn't { "alg": "HS256" } (temporary, WIP)
• The JWT was signed with an unknown key
• The signature doesn't match its header/payload

Multiple keys can be provided to handle key rollover. If no keys are provided, the module-level random fallback key will be used.