Allow jwt decode without passing a key

[CruseCtrl]

When using decode with noVerify, there's no point in passing the key because it's not going to be used. It would make sense if you could call decode(token) without passing a key, and it would decode the token without trying to verify it.

At the moment I have to do something like decode(token, 'dummy_key', true), which is a lot more verbose

[DevBrent]

This is a bad idea. By default, decode should always verify in order to reduce the chance of incorrectly believing the request is verified. You can also pass undefined as your key for this case.