Is your gateway actually validating that JWT?
Paste a Kong, Azure APIM, or Apigee JWT-validation policy. gwjwtlint statically checks it against
the vendor docs and RFC 8725 — is the iss/aud/exp actually enforced, is a signing-algorithm
pinned, are unsigned tokens rejected, are keys from a rotatable JWKS. No network calls; inline
secrets redacted before anything is saved.
Load example:
Runs as pure static analysis. Inline HMAC secrets and signing keys are always redacted before a permalink is stored.