terrymun
commented
6 years ago This issue also fixes a bug discovered during the process of troubleshooting: basically the same secret is used to sign JWT used for API keys and user logic, which is unsafe (users can copy API key and pass it to the Authorization header, and that will be marked as valid).
An incorrect configuration causes all calls to v1 API to passthrough, resulting in no JWT authentication.