Public key in JWT

[bc-pi]

Please consider using the jwk header parameter to convey the public key in the JWT sent by the browser. That would better leverage existing standards, be similar to how DPoP did much the same thing: https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-proof-jwt-syntax, and remove ambiguity of "key": "public key", in the current example.