Public JWKS

Endpoints

JWKS (recommended): https://api.cloakapi.io/.well-known/cloakapi-receipt-pubkeys.jwks
PEM (legacy): https://api.cloakapi.io/.well-known/cloakapi-receipt-pubkey.pem

The JWKS is a standard RFC 7517 JSON Web Key Set:

{
  "keys": [
    {
      "kty": "EC",
      "crv": "P-256",
      "kid": "gw-eu-west-2026-04",
      "x":   "BASE64URL_X",
      "y":   "BASE64URL_Y",
      "use": "sig",
      "alg": "ES256",
      "x5t#S256": "BASE64URL_FINGERPRINT"
    }
  ]
}

Key rotation

New keys are issued on the first day of each calendar quarter: gw-eu-west-2026-04, gw-eu-west-2026-07, gw-eu-west-2026-10, …
The new key signs receipts immediately; the old key remains in the JWKS forever so historic receipts continue to verify.
Compromise rotation: if a key needs to be revoked, it gets the revoked: true claim in the JWKS entry. Verifiers should reject receipts signed by revoked keys.

Caching guidance

Cache the JWKS for at most 1 hour locally — fetch fresh on every unknown kid to pick up rotations. The endpoint serves Cache-Control: public, max-age=300.

Multi-region keys

Each gateway region issues its own key:

Region	`kid` prefix
EU west (Hetzner Nuremberg)	`gw-eu-west-`
EU central (planned)	`gw-eu-central-`
US east (planned)	`gw-us-east-`

A receipt’s kid tells you which region produced it.