JWT clarifications needed

[dickhardt]

In the first JWT, it looks like "jti": "nonce" should be "jti": "challenge from Sec-Session-Challenge header"

"key":"public key" is vague. Perhaps use a jwk?

Why is the session ID not in the first JWT as a sub?

Why is the second JWT different? Could it not be the same?

It looks like you are intentionally not having a iss claim, clarify it should not be included, as well as what else should not be included. This then leads to describing the JWT verification steps the server should follow