Kchannels employs component-level authorization. The JWT merely states who the user is, and each component decides how to authorize a given authenticated request. For example, if a user tries to access another user's channel, the request is denied by the second user's zone. It is important to note that the presence of a JWT in itself does not imply access to anything in particular; it is merely a secure statement of successful authentication vouched for by a trusted party. Also, even when authorized, a JWT is not sufficient to perform anything deemed particularly sensitive, such as perform transactions or create/update channels. For that, additional EIP-712 signatures are needed.