The Auth for Apps documentation mentions that the first install should not include a JWT:
First install None; no JWT token. Because there was no previous shared secret the recipient cannot validate a JWT token. This means that you should anticipate that there will be no Authorization header present.
However, in practice, we’ve seen a request that includes a JWT.
In this case, we’ve installed/uninstalled this application several times during testing. Could that be why we see a JWT come in the install payload?