JWT are either signed, or encrypted.

You can create a signed JWT, and then encrypt THAT. This is a common pattern, it is sometimes called "nesting". See a discussion here. In Apigee, you can do this with two successive invocations of the GenerateJWT policy, passing the output of the first, as the input of the second.

You can create an encrypted JWT. I suppose you could sign the result of THAT. I have never seen this pattern, and I think it makes no sense. But, if you want to do it in Apigee, you could likewise with two successive invocations of the GenerateJWT policy. (Or you could use GenerateJWS for the 2nd invocation).

As far as I know there is no way to sign-and-encrypt the same thing in one step. The common pattern is encrypt(sign(payload)). In English, sign-then-encrypt. In more words, first sign, then encrypt the result of that.

Maybe you want to sign a payload, and also encrypt the same payload, and get two distinct JWT. That you can do, again, with two distinct invocations of GenerateJWT. This would be sensible only if you send these tokens to different systems. The signed JWT is easily decodable, so it makes no sense to send a signed JWT along with an encrypted JWT that uses the same payload. The signed JWT would allow the full payload to be easily read, thus rendering the encryption useless.

In some cases people want the encrypt(sign(payload)) pattern, but the output should be JWE. In other words they do not want an encrypted JWT, but instead want an output that is just a JWE. For that you would use this java callout for the 2nd step. There is no builtin policy in Apigee at this time that produces a generic JWE. We're working on it.

If this does not answer your question, you will need to clarify your requirements for us, without saying "Signed and encrypted at the same time". That's not sensible.