The safest and simplest approach is to make the v2 identity service the single source of truth for login, JWT issuance, RBAC checks, and KYC events, and have the legacy v1 system integrate with it over a well-defined REST or gRPC API (REST is usually easier for legacy systems; gRPC is faster if both sides support it). Let v1 delegate all auth-related operations to v2: for login, v1 redirects or proxies requests to the v2 auth endpoints; for permission checks, v1 validates incoming JWTs using v2’s public keys; and for KYC updates, v2 sends asynchronous webhooks or message-queue events that v1 consumes. Avoid duplicating identity logic in v1—treat v2 as a black-box identity provider. This keeps the integration secure, incremental, and future-proof while minimizing changes inside the monolith.