JWT token signature validation javascript

if I do not validate the signature at the client side how can I ensure that the token is indeed from the server.? Maybe there is somebody in the middle who is changing the token

Signature validation does not avoid a Man In The Middle attack. An attacker could sniff the channel to capture credential or alter messages even using valid tokens

Use a SSL/TLS channel (https)

If I do not verify the signature how can I know the token is not tampered with?

A token provided by a TLS trusted server is probably valid.(it could has been altered in local storage). You can validate the signature. This operation is usually done in server side( see @sakuto answer), but you can do it in the browser perfectly

But how do i verify the signature at the client site?

These are the steps

1. Download the public key from a trusted server
2. extract the signature from JWT and decode it( base64url)
3. verify the digital signature using a cryptographic library

I suggest to use the Webcrypto. See an example of RSA import key an validation here: https://github.com/diafygi/webcrypto-examples/blob/master/README.md#rsassa-pkcs1-v1_5

You are usually not doing verification on client-side, nor storing important data on the token. Every control and permission are checked on the back-end. Meaning that even if the user tamper its token, he won't able to pass the back-end control, only possibly seeing one more option on the front.

This type of work-around comments are the reason why I don't trust "libraries" written by others.

JWT.io has reported that many of the libraries that are widely available have security vulnerabilities.

RFC 7519 clearly states that the application MUST validate the token signature and if its signature is not valid, you MUST discard it.