A simple Attesto.Keystore backed by application configuration.
Reads its signing material from the :attesto application environment:
config :attesto, Attesto.Keystore.Static,
signing_pem: System.fetch_env!("OAUTH_SIGNING_PRIVATE_KEY_PEM"),
# optional; defaults to [signing_pem] when omitted
verification_pems: [current_pem, previous_pem],
# optional; RSA defaults to RS256, EC/OKP infer from curve
signing_alg: "PS256",
key_algs: %{current_kid => "PS256", previous_kid => "RS256"}Only signing_pem is required. When verification_pems is omitted, the
verification set is exactly the signing key, which is the correct
single-key default - and because Attesto derives the public half from
the private key, the signing and verifying keys can never drift.
During a rotation, set verification_pems to both the new and old keys
while signing_pem points at the new one; once no live tokens were
minted under the old key, drop it from the list.
Hosts with their own resolution (a secrets manager, a fail-fast boot
check, an HSM) implement Attesto.Keystore directly instead of using
this module.