ed25519 project keys + their JWKS endpoints.

every envelope your project signs is verifiable against a public JWK you publish at /.well-known/oc-jwks.json. OC verifies signatures against your published JWKS, not against any key OC holds — your private key never leaves your infra.

§ sample data

this page renders representative integrator state so you can see what the dashboard looks like without signing up. it is not your project. to manage a real project, go to /developer and create one.

create real project →

production · web frontend

kid · pk_live_zap_yZcu29ib

live

public jwks · https://zaprite.example/.well-known/oc-jwks.json ↗

created · Feb 12, 2026

last used · 5h ago

production · billing worker

kid · pk_live_zap_8nT4qa1m

live

public jwks · https://zaprite.example/.well-known/oc-jwks.json ↗

created · Mar 4, 2026

last used · 6h ago

staging · CI suite

kid · pk_test_zap_3hRkx0v9

test

public jwks · https://staging.zaprite.example/.well-known/oc-jwks.json ↗

created · Feb 12, 2026

last used · 5h ago

§ rotating a key

# 1. generate a new keypair (any ed25519 lib works)
$ oc-keygen ed25519 > new.pem

# 2. publish the new public JWK at your endpoint
#    /.well-known/oc-jwks.json — include both keys during overlap

# 3. tell me.ochk.io about the rotation
$ oc keys add --kid pk_live_zap_NEW --pub new.pub.jwk

# 4. once envelopes start signing under the new kid,
#    remove the old key from your published JWKS
$ oc keys retire --kid pk_live_zap_OLD

§ how OC verifies

On every envelope OC fetches your published JWKS, looks up the kid the envelope claims, and verifies the signature against your x coordinate. If we can't resolve the kid, the envelope is rejected before it lands in the billing index.

OC also publishes its own JWKS at ochk.io/.well-known/jwks.json — your verifier should pin against that for the OC co-signature.