GET https://api.uip.digital/.well-known/uip-audit-jwks.json · Public · CORS-readable
Returns UIP’s current audit-signing public key and explicitly retained verification
keys. Use the key whose kid exactly matches uip_signature.kid in the audit
record. The endpoint is cacheable for five minutes; refresh it when a new kid
appears.uip_signature is a detached audit field, not a JWS object. Its value is a
base64url-encoded ASN.1 DER ECDSA signature over the 32-byte record digest.
The public key proves that the holder of UIP’s configured signing key signed the
canonical audit hash. It is separate from the symmetric key used to encrypt private
data. The endpoint makes no claim about whether a particular deployed key version is
software- or hardware-protected.See Get an audit record and
offline verification.