Diagram of wifi style JWT token flow architecture infographic

Tech architecture infographic titled "JWT token flow" using the DATA PIPELINE (extract → transform → load) archetype, adapted accurately for authentication and authorization lifecycle stages. Show a hand-drawn whiteboard style developer diagram for an architect / staff audience, with clean vector infographic structure, editorial developer-blog illustration, isometric or flat tech-diagram style, vector-clean infographic layout. Use a cool blue and cyan palette on a whiteboard background, sketch-like outlines, neat annotations, subtle grid, high readability, technical but approachable mood.

Create labeled boxes connected by directional arrows, arranged left-to-right as a lifecycle pipeline:
1) Browser — icon: web browser — role: "User client sends login and API requests"
2) API Gateway / REST API — icon: API/server — role: "Receives HTTPS requests and routes auth-protected endpoints"
3) Auth Service — icon: shield server — role: "Validates credentials and issues JWT access token"
4) Cache — icon: in-memory cache — role: "Stores session metadata, token denylist, or public key cache"
5) Database — icon: relational database — role: "Stores users, password hash, roles, and token-related records"
6) Queue — icon: message queue — role: "Emits audit and login events for async processing"
7) Protected API Handler — icon: service node — role: "Verifies JWT and serves protected resource"

Add arrows with short English labels showing data direction and technically accurate payloads:
- Browser → API Gateway / REST API: "HTTPS POST /login + credentials"
- API Gateway / REST API → Auth Service: "REST auth request"
- Auth Service → Database: "SELECT user, password hash, roles"
- Database → Auth Service: "User record"
- Auth Service → Cache: "Store jti / key metadata"
- Auth Service → Queue: "Login audit event"
- Auth Service → Browser: "200 OK + JWT access token"
- Browser → API Gateway / REST API: "HTTPS GET /resource + Authorization: Bearer JWT"
- API Gateway / REST API → Protected API Handler: "Forward authenticated request"
- Protected API Handler → Cache: "Fetch JWKS / denylist / session metadata"
- Protected API Handler → Auth Service: "JWKS or introspection lookup"
- Protected API Handler → Database: "SELECT user permissions"
- Protected API Handler → Browser: "200 OK + JSON response"
- Protected API Handler → Queue: "Access audit event"

If space allows, include a small note box: "JWT is signed, not encrypted by default" and another note box: "Illustrative reference flow, not an audited security architecture".

Add a numbered legend (1-7) in English explaining the lifecycle:
1. User submits credentials from the browser over HTTPS.
2. API forwards the login request to the Auth Service.
3. Auth Service validates credentials against the Database.
4. Auth Service issues a signed JWT and may cache jti or key metadata.
5. Browser stores the JWT and sends it in the Authorization header.
6. Protected API verifies JWT signature, claims, expiry, and optional denylist or JWKS cache.
7. API returns JSON data and emits audit events to the Queue.

Visually emphasize flow stages extract → transform → load as conceptual bands only:
- Extract: credential intake and token submission
- Transform: identity validation, claim creation, signature verification
- Load: resource access, cache update, audit event emission

Do not include irrelevant Wi-Fi imagery or networking consumer icons; keep the rendering strictly about JWT request flow despite the search intent hint. Use generic cloud icons only, no vendor-specific branding. All text MUST be written in English (array). Every heading, label, caption, legend and metric name in the image must be in English — not English. Spell each English word correctly using English characters and diacritics. Numbers stay as digits, no real cloud-vendor logos (AWS / GCP / Azure) — use generic cloud icons, no watermarks No real cloud-vendor logos (AWS, GCP, Azure) beyond generic cloud icons. Common protocol names (HTTPS, TCP, JWT, OAuth, REST, GraphQL) stay in canonical English form. No security-claim overstatements (do not present diagrams as audited reference architectures).