Should your auth-service be validating tokens?
Earlier this month, I happened to be in a technical discussion with a small team wherein I was being briefed about how authorization works in their microservice-based system.
Here's what a request to one of their protected resources looks like:
Though I've only depicted one Protected