Validating JWTs from multiple issuers introduces failure modes that do not exist with a single issuer. Learn the correct pattern and the attacks that result from getting it wrong.