The key we created is then passed as the “kid” header in the JWT, allowing the secret to be retrieved from the session to verify the JWT with
This is the JWT passed to the api gateway right?
So this JWT has to contain:
- a kid header/sub field with the key id
- a pol/policy field field to validate ratelimits etc…