- Issues real signed JWTs (HS256, configurable secret)

- Accepts any client_id/client_secret in client_credentials flow

- Accepts any username/password in password flow

- Config: port, issuer, signingSecret, tokenTtlSeconds, extraClaims

- Why: Auth is the #1 reason developers need a running service to test against; every protected API needs it