Hi !
I’ve setup an API protected by JWT authentication. Though the system starts working well, I’ve noticed the following:
- It’s required (in the API definition) to specify in which JWT claim Tyk will find the policy ID.
- However, I can specify all the restrictions and policies I want in the key itself
So, In my opinion, the information is duplicated… I would have expected that the policy claim is optional and that Tyk applies all the policies of the key in that case. The JWT would then be cleaner as well, containing just the tyk key.
What do you think ?