Issuer keys — UpSkillZone
Every UpSkillZone credential carries an Ed25519 signature whose verificationMethod points at a specific key id. For trust to be independently verifiable, the corresponding public keys — current and historical — have to live at a stable, unauthenticated URL anyone can fetch. This page renders that key set live from the same endpoints a verifier script would hit; no edge cache, no client-side rehydration.
The cryptographic identity that signs every credential. Mirrors the Open Badges 3.0 issuer profile published at /.well-known/issuer.jsonld.
Every key currently advertised in /.well-known/jwks.json. The last 16 characters of x are shown so you can fingerprint a match without scrolling a 43-char base64 blob.
| kid | alg | kty | crv | status | x (tail 16) |
|---|---|---|---|---|---|
| key-2026-1 | EdDSA | OKP | Ed25519 | active | …-NBFdrOp3XEfM0dA |
Verify locally
Don’t take our word for it — fetch the same JSON we render from above, straight from the source:
curl https://upskillzone.com/.well-known/jwks.json | jq '.keys[]'Keys we have rotated out of signing duty but keep publishing so credentials they signed remain verifiable.
None yet. First rotation scheduled for 2026-08-04.
The operational rules behind every rotation. Codified here, not locked inside an internal runbook.
Three lines in any JOSE-compatible runtime. Pin the JWKS URL, look up the kid from the credential proof header, and verify with EdDSA.
# Python — verify with PyJWT (or jose)
import httpx, jwt
jwks = httpx.get("https://upskillzone.com/api/v1/.well-known/jwks.json").json()
key = next(k for k in jwks["keys"] if k["kid"] == header["kid"])
jwt.decode(token, key=key, algorithms=["EdDSA"], options={"verify_aud": False})