Although documented, even experienced users get confused by the default constraints (aud in particular) provided by io.jwt.decode_verify. I think we might want to consider recommending verifying and decoding as a two-step process, i.e.

Avoid

claims := payload {
    [valid, _, payload] := io.jwt.decode_verify("my_jwt_token", {"cert": "my certificate"})
    valid
}

Prefer

claims := payload {
    io.jwt.verify_rs256("my_jwt_token", "my certificate")
    [_, payload, _] := io.jwt.decode("my_jwt_token")
}

I generally agree, but we should also give examples of checking the nbf/exp, aud etc criteria from rego, then, maybe? Or at least call out the difference, and that you can't replace snippet 1 with snippet 2 and expect everything to be the same.

Yes, or even better, provide a library for that purpose :)