src/api/SIGCM2.Api/keys/README.md

# JWT RSA Keys

This directory holds the RSA 2048 key pair used for JWT RS256 signing.

## Files (gitignored)

- `private.pem` — RSA private key (NEVER commit this)
- `public.pem`  — RSA public key (NEVER commit this)
- `.gitkeep`    — keeps this directory tracked in git

## Regenerate keys

Run from the repo root (requires PowerShell 7 / pwsh):

```powershell
pwsh -File scripts/generate-keys.ps1
```

## Production

In production, set these environment variables instead of files:

```
JWT__PrivateKey=<base64-encoded PEM content>
JWT__PublicKey=<base64-encoded PEM content>
```

The API's `RsaKeyLoader` checks environment variables first, falls back to files.
chore(udt-001): RSA key generation script 2026-04-13 21:35:56 -03:00			`# JWT RSA Keys`

			`This directory holds the RSA 2048 key pair used for JWT RS256 signing.`

			`## Files (gitignored)`

			- `private.pem` — RSA private key (NEVER commit this)
			- `public.pem` — RSA public key (NEVER commit this)
			- `.gitkeep` — keeps this directory tracked in git

			`## Regenerate keys`

			`Run from the repo root (requires PowerShell 7 / pwsh):`

			```powershell
			`pwsh -File scripts/generate-keys.ps1`
			```

			`## Production`

			`In production, set these environment variables instead of files:`

			```
			`JWT__PrivateKey=<base64-encoded PEM content>`
			`JWT__PublicKey=<base64-encoded PEM content>`
			```

			The API's `RsaKeyLoader` checks environment variables first, falls back to files.