To follow up on this… my issues turned out to be a bad formatted plugin config file. I had:
'users-permissions': {
config: {
jwt: {
jwtSecret: env('JWT_SECRET'),
}
},
},
Instead of:
'users-permissions': {
config: {
jwtSecret: env('JWT_SECRET'),
},
},
So it was merging the jwtSecret with the jwt options which get sent to jsonwebtoken. jwtSecret is not a valid option, so jsonwebtoken was throwing an error back to Strapi.