Thanks for the response, we really do appreciate all feedback (no matter how grumpy I may seem), so apologies if my last reply seemed dismissive.
The JWK issue is pretty odd, basically the spec indicated the key should be base64 encoded, and the example from Auth0 refused to decode.
So in principle (and in our tests) the JWK works, it just doesn't reflect reality at the moment, and that is probably down to us getting better aquatinted with How JWKs work.
On the other hand, I feel there's a security issue with providing a public key to validate JWTs via a web hook, since a MITM attack could provide false public key credentials to a validator like Tyk and then fake responses that would get through the gateway, so I'm not sure how happy I am with that feature in general.
(I guess it would be ok if the JWK comes from an internal, safe source as opposed to the wider net).
Either way, it's all still in development, so we'll be fixing it in due course and we really are grateful for all the feedback, especially against a dev version.