That's a great point and perhaps I should mention it. We do use both the spiffe mTLS-established identity and Authorization headers for different purposes. If the request originates from an external client, we rely on tokens, if it originates from a service (e.g. batch job), we use the spiffe identity.