In nearly all cases, NimbusJwtDecoder and NimbusReactiveJwtDecoder throw a JwtException when something goes wrong.
However, this makes it tricky to differentiate between invalid tokens and invalid application state.
One way to improve this would be to introduce a new exception that extends JwtException. Like BadCredentialsException, BadJwtException could be a good name.
Then, if the exception is BadJwtException, the application can know that it's an invalid token instead of invalid application state