Use the new version of the notifications-python-client. This version no longer adds the req and pay to the claims of the jwt.

The change is backward compatible so an older client that sends a jwt with the extra claims will pass authentication.
Once all the clients have been updated to not include the extra claims some updates to exclude them from the method signatures will happen as well.

app/authentication/auth.py

@@ -1,6 +1,6 @@
 from flask import request, jsonify, _request_ctx_stack, current_app
 from notifications_python_client.authentication import decode_jwt_token, get_token_issuer
-from notifications_python_client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError
+from notifications_python_client.errors import TokenDecodeError, TokenExpiredError
 from werkzeug.exceptions import abort
 from app.dao.api_key_dao import get_unsigned_secrets
 from app import api_user
@@ -43,12 +43,8 @@ def requires_auth():
             )
             _request_ctx_stack.top.api_user = api_client
             return
-        except TokenRequestError:
-            errors_resp = authentication_response("Invalid token: request", 403)
         except TokenExpiredError:
             errors_resp = authentication_response("Invalid token: expired", 403)
-        except TokenPayloadError:
-            errors_resp = authentication_response("Invalid token: payload", 403)
         except TokenDecodeError:
             errors_resp = authentication_response("Invalid token: signature", 403)