Docker is a great tool for build pipelines, without a doubt it allows you to create isolated and reproducible builds. Not just of docker images themselves, but also for artefacts that you might extract and use outside of the container. When you are building Docker images security should be one of the concerns you can take care of in your CI pipeline. This varies from simple linting of your dockerfiles using something like hadolint to a more complex scanner that can scan the internals of your images and give you some clues as to where you might need to address security concerns.
When creating APIs it can be useful to separate out the concern of validating JWT tokens to some downstream service. This has a number of benefits Testing becomes easier as you do not have to create valid JWTs for each API call Less configuration needs to be distributed to the API at runtime You can still pass and make use of JWTs and their payloads within the API but you just offload the task of actually validating that payload to something else.