The “kid” header is only needed if you want each JWT to be encrypted with it’s own secret as mentioned here:
To encrypt the each JWT with the same secret (standard behaviour), all that is needed is a user-specific name or ID in the “sub” claim, and a policy to apply to the JWT in “pol”. No need to manually create any API keys.
Add the secret to the API definition, and add the JWT in a header in the API call to the gateway:
Authorization: Bearer {token}