If you're using it with CF Tunnels/any application that validates the JWT Access Sends, make sure to use "Service Auth" rather then "Bypass". Bypass literally bypasses Access and falls back to zone security stuff, no jwt included. Service Auth goes through the flow without an identity and sends a jwt. If you're using Tunnels with the Access setting, and use Bypass, you'll get a blank screen with a 403