To complement @labsvisua's answer, I think a really important point is - to have only a single auth endpoint that handles the jwt signature generation/check and return 200,401 - but to avoid calling the auth from every single other services. That second point is critical from my point of view. All the auth validation should be handled at the API gateway level, and once forwarded to a (micro)service , that service can trust the request. All your auth tests/updates belong to your api gateway, therefore if you have anything to update/fix/improve/add regarding auth, it's done in single one place (and therefore it's much more easier to test)
We're not using Kong , but we usually refer to their doc to explain this: getkong.org All the user-facing common 'boilerplate stuff' (auth, versions, ...) is centralized in an api gateway so that all your other services can focus on their real purpose, and you don't have the risk of having multiple (and possibly outdated) versions of your auth lib all over the place.