We are aware of this and it is an issue with our hash implementation - unfortunately fixing it breaks backwards compatibility, so we’re looking for alternative ways to approach this.
However, with a JWT, the token itself is still being cryptographically validated each time, so in order for a user to gain access, they would need to generate a valid signed token from the user’s private key, changing the kid or the sub wouldn’t affect that element of how Tyk evaluates access control.