How JWT + mTLS Fit (explicitly) Layer Enforcement AdminAPI -> Not exposed Admin loopback Service -> WT plugin Control-plane network -> mTLS Konga -> JWT consumer + client cert Portal -> HTTPS Proxy -> HTTPS This is defense-in-depth, not “plugin stacking”.