When a JWT is validated, a token is created to store track the session data for that JWT. This is tied to the “sub” claim in the token.
In the case where we want each key to be signed individually, e.g. different HMAC secrets for each key, we need a way to store the individual secrets for the gateway to be able to verify the tokens accurately. For this purpose we create an API key with the “This is a JWT ID” checkbox, which allows us to store the individual secret for that JWT in the session for that key. The key we created is then passed as the “kid” header in the JWT, allowing the secret to be retrieved from the session to verify the JWT with.
In this case, the created key is also used to track the user identity/quota/rate limits so the “sub” claim is not read
Hope that helps!