When creating APIs it can be useful to separate out the concern of validating JWT tokens to some downstream service. This has a number of benefits Testing becomes easier as you do not have to create valid JWTs for each API call Less configuration needs to be distributed to the API at runtime You can still pass and make use of JWTs and their payloads within the API but you just offload the task of actually validating that payload to something else.