Hi @James, thanks for the help.
I still didn’t get what a “This is a JWT ID” under the API Key creation does, can you explain better? Because I created a new API Key with this setting enabled and at the end the generated key was not a JWT one… It was just a regular hash. How is this meant to be used?
Also, using the “JSON Web Token” API authentication mode, the “Identity Source” (sub) apparently doesn’t matter… If I send a token with a valid sub, it ask me for a valid policy. If I put a valid policy (pol) in the JWT token, it allows me even if the sub is invalid.