I found my issue. which was unrelated to JWT., but related to a security check imposed in my Dispatch class/ the Privilage check there, does not (rightly so), insert an entry in the Security audit log.

all good now.

David,   

In your example above - does the user 'APIUser' have any other privilges other than those needing to read/write to the underlying database(s) of the namespace the application is tied to ? Can you confirm that user does not carry %All ??

I'm finding I have a missing some permissions, and only users with %All can get to subsequent API Calls - but - the Security Audit Log does not report any errors - I just get a 401.  There is something failing for me in the CSP plumbing which is decrypting the token, on the way in and setting up the user context. - my dispatch class code is not invoked.

have you encountered this or have any low-level debugging tips ?

Thanks - 

Happy Birthday DC !!

Thank you for all the articles, posts, comments, contests and code...

What a great asset..I don't know where we'd be without you