Citi Interview Question

How would you attack an application that uses a JWT?