Also known as "things I've learned today"...

I've been using Insomnia the last couple of days to test a web API. Insomnia's a great client - it's got lots of features to make life easier. You can set arbitrary headers to whatever value you want, you can import cURL commands, or export requests out to cURL (and lots of other languages). Lots of stuff.

Another of those features is that it understands a number of authentication methods on the web, such as bearer tokens. That's really handy when you're using tokens to authenticate - you don't have to go and specify the header yourself.

Where it got sticky - and caught me out - is that if you've manually specified an Authorisation header with a Bearer token, that takes precedence over the one you set using the built-in authentication menu. I'm sure you can see where this is going...

If you don't happen to notice the little '1' where you don't expect it, you can be trying to use a (perfectly valid) token and yet sending a completely different one, thus getting a rather confusing result. Delete the extra header and everything springs into life.

Still. At least I didn't actually have any JWT bugs in my code, only in my tool setup. That's something to be pleased with I guess. :-)