# Test JWT Signing Keys

These ES256 (`prime256v1`) private keys are **test fixtures only** — they are
mounted into the test SUT container by `docker-compose.test.yml` so the AZ-532
JWKS / signing tests can exercise a real two-key configuration without any
runtime setup hooks.

- `kid-test-a.pem` — primary signing key in tests (matches `JwtConfig__ActiveKid`).
- `kid-test-b.pem` — secondary key kept in JWKS to exercise the rotation overlap
  acceptance criterion (AZ-532 AC-3).

**Never** copy these into a production secrets directory. Production keys live in
`secrets/jwt-keys/` and are generated per environment by `scripts/generate-jwt-key.sh`.
The kid is the filename without `.pem`.