Serves /.well-known/openid-configuration, /oauth/token, /oauth/authorize endpoints - Issues real signed JWTs (HS256, configurable secret) - Accepts any client_id/client_secret in client_credentials flow - Accepts any username/password in password flow - Config: port, issuer, signingSecret, tokenTtlSeconds, extraClaims - Why: Auth is the #1 reason developers need a running service to test against; every protected API needs it
