I’m evaluating Tyk and was able to route my requests to my services, using JWT authentication, setup in the API, with an RSA public key.
I’m just wondering why there’s an other JWT configuration section in the key definition… Does it overwrite the one in the API? What about the policy specified in the token vs the one in the key? Is the JWT signature verified twice then?
The alternative configuration setting exists to allow public keys to be tied to a token and allow the use of said token as if it were the kid header in a JWT. This way the public key can be used to evaluate a JWT when it arrives.
The two methods cannot be combined however, so JWTs must either be centralised or tokenised. Further details regarding this can be found in our docs.