Hmmm yeah, the only catch is it means you have to allow all applications that recognize the JWT to be able to perform token validation against Tyk (i.e. to ensure the token was really issued by Tyk). This means two possibilities:
- Tyk becomes full-fledge OAuth provider exposing all the well-known OAuth endpoints, it needs key management, certificates, etc.; or
- Tyk can only support the HMAC protocol for token verification, which limits its utility.