I'm evaluating Tyk and was able to route my requests to my services, using JWT authentication, setup in the API, with an RSA public key.
I'm just wondering why there's an other JWT configuration section in the key definition... Does it overwrite the one in the API? What about the policy specified in the token vs the one in the key? Is the JWT signature verified twice then?