Thanks. I've currently settled for having both an 'authenticated' client and an 'unauthenticated' client.
The thing that tipped me further towards that was; if you want to 'log out' there's no way to clear the keys loaded into JWT authentication, the only way to effectively and reliably drop them seems to be switching client.
Ended up injecting a 'provideClient' lambda to my services which gives either the authenticated or unauthenticated client depending on the session state (login/out). No idea if this is idiomatic but it works for me.