{"algorithm":"Ed25519","public_key_b64":"FsZECNfa4kCX2dI0Dc2NtD9DpV5By4EbSUAcQPFJ4HU=","public_key_format":"raw 32 bytes (RFC 8032), base64 encoded","canonicalisation":"JSON sorted keys, separators=(',',':'), UTF-8","note":"Public key is derived deterministically from JWT_SECRET_KEY. It rotates if and only if that secret rotates -- monitor this endpoint and re-validate cached signatures after a rotation."}