Jwt verifies successfully without a secret

here is my jwt config
{
“alg”: “HS256”,
“typ”: “JWT”
}
{
“aud”: “my_jitsi_app_id”,
“iss”: “my_jitsi_app_id”,
“sub”: “mydomain.xyz”,
“room”: “aaa”,
“iat”: 1516239022
}

I am able to access the room ‘aaa’ without using app secret to generate the jwt. when i add the app secret in the HMACSHA256 step, i am not able to access room ‘aaa’ with the generated jwt. What am i doing wrong ? I want to use the secret to generate the token