Authentication Policy Origins JWT - Internal vs Public Access

I am building a simple test system that keeps track of Smoke Detector Batteries.
The database entity is simple: Smoke Detector location (in the house) and date of battery install.
In Istio, I have three services:
[1] Smoke-Detector-Service (provides a list of all smoke detectors - providing name and date of install, also has methods to CRUD detectors)
[2] Alert-Email-Service (everyday it calls the Smoke-Detector-List service and sends an email alert for the detectors with a battery older than 11 months)
[3] Web-Interface (provides a webpage to access smoke detectors and create/update/delete records)

Istio Configuration (Gateway/VirtualService)
[A] [3]Web-Interface and [1]Smoke-Detector-Service are exposed publicly via Gateway/VirtualService
[B] [2] Alert-Email-Service is not exposed publicly

The [3]Web-Interface calls the [1]Smoke-Detector-Service and it works beautifully until I try to secure the [1]Smoke-Detector-Service.
I secure it ([1]) by using an Authentication/Policy-Origins-JWT and it works so far.
The user has to login to the web-app, uses keycloak to get the auth-token, then calls the secured [1]Smoke-Detector-Service with the token and works well.

The Problem:
The problem is that, when I enable the Authentication/Policy-Origins-JWT for the [1]Smoke-Detector-Service then the internal [2]Alert-Email-Service cannot access it.
How do I secure a service using Authentication/Policy-Origins-JWT but allow it to be called from inside the mesh (without using JWT inside the mesh).
Basically I want a mesh where all internal services are trusted - no jwt needed, but services available internally and also exposed to the Internet (Public) are secured from outside via JWT.

Was I clear in what I am looking for?
Is Istio capable of this? How to configure it?
Any help is greatly appreciated…

There are 2 options to solve this:

  1. you can apply the JWT policy on your [3]Web-Interface but not on [1] Smoke-Detector-Service.
  2. you can set the JWT policy with originIsOptional: true and use Istio Authorization policy to enforce different access control based on the source of the request. You can write an authorization policy that requires JWT token only if the request is coming from [3] Web-Interface.