# JWT RSA Keys

This directory holds the RSA 2048 key pair used for JWT RS256 signing.

## Files (gitignored)

- `private.pem` — RSA private key (NEVER commit this)
- `public.pem`  — RSA public key (NEVER commit this)
- `.gitkeep`    — keeps this directory tracked in git

## Regenerate keys

Run from the repo root (requires PowerShell 7 / pwsh):

```powershell
pwsh -File scripts/generate-keys.ps1
```

## Production

In production, set these environment variables instead of files:

```
JWT__PrivateKey=<base64-encoded PEM content>
JWT__PublicKey=<base64-encoded PEM content>
```

The API's `RsaKeyLoader` checks environment variables first, falls back to files.