We're handing it by doing an

intercept(ApplicationCallPipeline.Infrastructure)

on the routes we care about, validating the JWT, and then passing the claims onwards via the

call.attributes

hashmap