Technology Layer (Bottom – Enforcement / Runtime) This layer expresses where and how security is enforced: • Auth0 (Technology / External Service) Represents the external runtime identity service. • Kong Gateway The policy enforcement point (PEP) at runtime. • JWT Plugin The security mechanism enforcing: o Token validation o exp claim verification o Issuer-based credential resolution • Consumer Represents the calling client identity as understood by the gateway. This layer answers: Where is access actually enforced at runtime?