Middleware can be bypassed by configuration mistakes and it often only decides whether a request should continue. If later code trusts injected headers instead of re-verifying claims, the application can authorize access on a value that was never checked at the point of use.
Why This Matters for Security Teams
JWT verification that happens only in middleware creates a split-brain trust model: one component checks the token, another component makes the real decision later. If the application trusts headers, context objects, or downstream claims without re-validating them, an attacker only needs one routing mistake, one proxy exception, or one forgotten code path to turn a protected request into an authorised one. That is why NHI governance treats verification as a point-of-use control, not just a request filter. The risk is amplified when service accounts, API keys, and other non-human identities are already over-privileged, as highlighted in the Ultimate Guide to NHIs.
Middleware-only checks also conflict with broader guidance in the NIST Cybersecurity Framework 2.0, which expects access decisions to be tied to protected assets and enforced consistently. If the token is validated before the request is transformed, forwarded, cached, or enriched, later layers can end up authorising based on stale or untrusted state. In practice, many security teams discover this pattern only after a proxy bypass, a header injection issue, or an internal service compromise has already occurred.
How It Works in Practice
JWT verification should be enforced as close as possible to the resource that is being protected. Middleware may still be useful for early rejection, but the application or service handler should independently validate the token signature, issuer, audience, expiry, and critical claims before relying on any identity data. That matters because middleware often terminates at the edge, while authorisation decisions happen deeper in the stack where request state can be altered.
A safer pattern is to treat the middleware result as advisory and re-check the token or verified identity context at the point of use. For APIs, that usually means:
- Verify the JWT signature and registered claims in the service that consumes the request.
- Ignore injected headers unless they are set by a trusted internal component and re-authenticated.
- Bind authorisation to the token subject, audience, and intended operation, not just to a session flag.
- Use short-lived credentials and rotate secrets so a bypass has a smaller window of abuse, as discussed in the Ultimate Guide to NHIs.
For service-to-service traffic, current guidance suggests pairing token verification with workload identity, mutual trust boundaries, and policy enforcement that reflects the request context. That is consistent with NIST Cybersecurity Framework 2.0 principles around access control, least privilege, and continuous governance. Teams that centralise JWT trust in a gateway without re-verification at the service boundary often create an implicit trust chain that breaks when requests are replayed, proxied, or internally redirected.
These controls tend to break down in microservice environments with service mesh sidecars and mixed trusted and untrusted internal hops because identity can be rewritten or assumed without a fresh check at the final decision point.
Common Variations and Edge Cases
Tighter token verification often increases implementation overhead, requiring organisations to balance stronger assurance against latency, code duplication, and operational complexity. There is no universal standard for every stack, but best practice is evolving toward defence in depth rather than “verify once and trust everywhere.”
One common edge case is gateway offload. If a reverse proxy verifies the JWT and then forwards only selected claims, the service must still treat those claims as untrusted unless the proxy-to-service channel is mutually authenticated and the downstream service explicitly trusts that boundary. Another edge case appears in legacy monoliths, where middleware may be the only practical enforcement layer. In those systems, controls should still include strict internal trust boundaries, header sanitisation, and explicit allowlists for which components can assert identity.
For NHI-heavy environments, the issue is not just authentication but lifecycle control. Secrets and tokens need expiry, rotation, and offboarding discipline so a bypass does not become a long-lived foothold. Research from the Ultimate Guide to NHIs shows how often organisations retain excessive access and valid secrets far longer than intended. The practical lesson is simple: if a downstream component can make a decision, it must either re-verify the JWT or consume a cryptographically trusted identity assertion that was designed for that boundary. Otherwise, the middleware becomes a single point of failure instead of a security control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Directly addresses trust in non-human identity assertions and token handling. |
| NIST CSF 2.0 | PR.AC-4 | Access control must be enforced consistently, not only in edge middleware. |
| NIST Zero Trust (SP 800-207) | 3.2 | Zero Trust requires explicit verification at every request, not inherited trust. |
Apply least privilege at the service boundary and validate identity before each authorisation decision.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
