Thanks for your quick response!
Your first approach won’t work, as the JWT will be different every few minutes (because of the “expires”-field). This is not acceptable, as I want to apply rate-limiting to every user.
I don’t yet know how to write custom middleware in JS, but I will have a look. Thanks!