Is your gateway actually validating that JWT?

Paste a Kong, Azure APIM, or Apigee JWT-validation policy. gwjwtlint statically checks it against the vendor docs and RFC 8725 — is the iss/aud/exp actually enforced, is a signing-algorithm pinned, are unsigned tokens rejected, are keys from a rotatable JWKS. No network calls; inline secrets redacted before anything is saved.

Load example:

Runs as pure static analysis. Inline HMAC secrets and signing keys are always redacted before a permalink is stored.