Hi Edurado,
How Mobile SDK works with JWT signing for payload is that by default, Mobile SDK uses the key pair that SDK used for device registration and retrieve the client certificate for the device. What makes it easier with this approach is that as the public key of the client certificate is already known on the Gateway, you don't have to manage or maintain the key pair separately.
Of course, you also have an option to do the JWT signing with the your custom private key, but in this case, you will have to manage the public key and implement your own logic to maintain it.
For this answer, I will assume that you use the default signing mechanism which is using the key pair from device registration.
On your endpoint to validate the JWT payload, you should do the validation of OAuth token, and Mutual SSL assertions to secure the API. MSSO Require Registered Device - Mutual SSL will validate the client certificate presented from Mobile SDK to make sure that the device is known and registered on the Gateway. As you can see on the attached screenshot, the one of outputs from MSSO Required Registered Device - Mutual SSL is ${signed_certificate}
With that context variable, you can use Decode Json Web token and use ${signed_certificate} as an Recipient Key Context Variable and Key Type as Certificate. (As shown in the attached screenshot)
The output of Decode Json Web Token should tell you the result of the validation.
Please let me know if you need any further clarification, or further assistance on this issue.
Thanks,