refactor: remove known limitations regarding JWT-only authentication from documentation and tests

Author: jkyberneees

docs/AUTHENTICATION.md

@@ -699,28 +699,6 @@ curl -v http://localhost:3000/api/data
 curl -v http://localhost:3000/public/data
 ```
 
-## Known Limitations
-
-### JWT-Only Authentication Issue
-
-⚠️ **Current Issue**: JWT-only authentication (without `apiKeys` configured) has validation issues. Tokens may be rejected even when correctly signed.
-
-**Workaround**: Use API key authentication for reliable service-to-service communication:
-
-```typescript
-// ❌ JWT-only (has issues)
-auth: {
-  secret: 'my-secret',
-  jwtOptions: { algorithms: ['HS256'] },
-}
-
-// ✅ API key (works reliably)
-auth: {
-  apiKeys: ['service-key-1', 'service-key-2'],
-  apiKeyHeader: 'X-API-Key',
-}
-```
-
 ## Troubleshooting
 
 ### 401 Unauthorized with Valid API Key

docs/TROUBLESHOOTING.md

@@ -64,23 +64,7 @@ curl -v -H "Authorization: Bearer key1" http://localhost:3000/api/data
 
 ### JWT Validation Fails
 
-**Known Limitation**: JWT-only authentication (without `apiKeys`) has validation issues.
-
-**Workaround**: Use API key authentication:
-
-```typescript
-// ❌ JWT-only (has issues)
-auth: {
-  secret: 'my-secret',
-  jwtOptions: { algorithms: ['HS256'] },
-}
-
-// ✅ Use API keys instead (reliable)
-auth: {
-  apiKeys: ['service-key-1', 'service-key-2'],
-  apiKeyHeader: 'X-API-Key',
-}
-```
+### Mixed Authentication
 
 **If you must use JWT**, check:
 

examples/README.md

@@ -49,8 +49,6 @@ Production-ready security-hardened gateway with comprehensive security features.
 - API key authentication for public/metrics endpoints
 - Multiple authentication strategies
 
-**⚠️ Known Limitation:** JWT-only authentication (without API keys) currently has validation issues. The example uses API keys which work reliably.
-
 **Run:**
 
 ```bash
@@ -328,48 +326,6 @@ gateway.addRoute({
 
 ---
 
-## ⚠️ Known Limitations
-
-### JWT-Only Authentication
-
-**Issue:** JWT-only authentication (configuring `secret` without `apiKeys`) currently has token validation issues. Tokens may be rejected with "Invalid token" even when correctly signed.
-
-**Workaround:** Use API key authentication, which works reliably:
-
-```typescript
-// ❌ JWT-only (has issues)
-auth: {
-  secret: process.env.JWT_SECRET,
-  jwtOptions: {
-    algorithms: ['HS256'],
-  },
-}
-
-// ✅ API key auth (works)
-auth: {
-  apiKeys: ['key1', 'key2'],
-  apiKeyHeader: 'X-API-Key',
-}
-```
-
-**Status:** This issue is being investigated. See [test/gateway/gateway-auth.test.ts](../test/gateway/gateway-auth.test.ts) for test coverage.
-
-### Hybrid Authentication
-
-When both JWT (`secret`) and API keys (`apiKeys`) are configured together, the API key becomes **required**. JWT alone will not work.
-
-```typescript
-// API key is REQUIRED when both are configured
-auth: {
-  secret: process.env.JWT_SECRET,
-  jwtOptions: { algorithms: ['HS256'] },
-  apiKeys: ['key1'], // API key must be provided
-  apiKeyHeader: 'X-API-Key',
-}
-```
-
----
-
 ## 📚 More Resources
 
 - [Main README](../README.md) - Full documentation

test/gateway/gateway-auth.test.ts

@@ -59,19 +59,6 @@ async function createJWTWithWrongSecret(
     .sign(wrongSecret)
 }
 
-/**
- * KNOWN LIMITATION: JWT-only authentication (without apiKeys) currently doesn't work.
- * When a route is configured with JWT auth but no API keys, token validation fails
- * with "Invalid token" even when the token is correctly signed and structured.
- *
- * This appears to be an issue with how JWT options are passed to the 0http-bun middleware
- * or how the middleware validates tokens. API key authentication works correctly, and
- * hybrid auth (JWT + API key) works when API key is provided.
- *
- * Tests marked with .skip are temporarily disabled until this issue is resolved.
- * See: GitHub issue #TBD
- */
-
 describe('BunGateway Authentication', () => {
   let gateway: BunGateway
   let backendServer: any