The v2.0 API documentation doesn't have examples for creating a policy. The only policy reference I could find was in creating keys and that's not what is needed for JWT.
Found this which hopefully will enable me to figure the API out.
Created API with dashboard and captured request/response JSON with Chrome Developer Tools.
Formatted the JSON here and used curl to send to tyk-gateway.
It complained about format, but the response and tyk-gateway log weren't much help.
msg="Couldn't decode new API Definition object: invalid character 'Â' looking for beginning of object key string"
Used cat on the json and discovered the formatting indentation was not spaces.
cat -A appFoo2.json
M-BM- M-BM- M-BM- M-BM- "name": "fooApi",$
M-BM- M-BM- M-BM- M-BM- "slug": "fooapi",$
After a find replace of the M-BM- to space there were a couple more things.
Had to delete the json wrapper or the curl response would be success, but the tyk-gateway log would report "API Definition with this ID already exists, deleting file..." even when GET returned nothing for the same ID.
. . .
Also had to add api_id.
DELETE always reports success even when it didn't delete anything due to bad path or wrong ID, while it is idempotent, it is also a false positive.
The bottom line is the http response isn't always correct or useful and it is necessary to watch the tyk-gateway log to see if things are indeed working properly. Also discovered an API loading error when reloading after config changes, that probably could/should have caused a response error when creating the API in the first place.