The Bearer prefix is not relevant. I tried with and without „bearer“. Whenever a JWT token is used you will get 500 Internal Server Error - content of the JWT doesn’t play a role. As soon as you omit the authentication header or write random stuff into the field you will get 401 Unauthorized. I think the JWT validation has a bug and crashes on each validation (explains 500). A correct working validation would return 401 Unauthorized when JWT isn’t valid.

The Bearer prefix is optional. The prefix helps identifying what type of token authentication you are delivering. If there is only bearer token to accept, most APIs simply remove "Bearer " from Authorization header string. WeatherKit REST API seems to do this, too.