Bug Description

In internal/token/jwt.go:67, the ParseJWTToken function uses p.config.JWTSecret instead of p.config.JWTPublicKey for ECDSA (ES256/ES384/ES512) token validation.

Signing correctly uses JWTPrivateKey, but parsing incorrectly uses JWTSecret instead of JWTPublicKey.

Impact

CRITICAL — All ECDSA token validation is broken. Tokens signed with ECDSA private key cannot be verified since the wrong key material is used for parsing.

Fix

Change p.config.JWTSecret → p.config.JWTPublicKey on line 67 of internal/token/jwt.go.