@agent-score/commerce 1.3.3 → 1.5.0

package/README.md

@@ -3,7 +3,7 @@
 [![npm version](https://img.shields.io/npm/v/@agent-score/commerce.svg)](https://www.npmjs.com/package/@agent-score/commerce)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
 
-The full merchant-side SDK for [AgentScore](https://agentscore.sh) — agent commerce in one install. Ships identity gating, payment rail helpers, 402 challenge builders, MPP discovery, and Stripe multichain support. Built and maintained by AgentScore; works with any 402/MPP merchant in the ecosystem, AgentScore-gated or not.
+The full merchant-side SDK for [AgentScore](https://agentscore.sh): agent commerce in one install. Ships identity gating, payment rail helpers, 402 challenge builders, MPP discovery, and Stripe multichain support. Built and maintained by AgentScore; works with any 402/MPP merchant in the ecosystem, AgentScore-gated or not.
 
 ## Install
 
@@ -13,7 +13,7 @@ npm install @agent-score/commerce
 bun add @agent-score/commerce
 ```
 
-Framework + protocol packages are optional peer deps — install only what you use:
+Framework + protocol packages are optional peer deps; install only what you use:
 
 ```bash
 npm install hono mppx @x402/core @x402/evm @solana/mpp @solana/kit stripe   # whatever your stack needs
@@ -24,11 +24,11 @@ npm install hono mppx @x402/core @x402/evm @solana/mpp @solana/kit stripe   # wh
 | Subpath | What it provides |
 |---|---|
 | `/identity/{hono,express,fastify,nextjs,web}` | Trust gate middleware: KYC, sanctions, age, jurisdiction. `agentscoreGate(...)`, `getAgentScoreData(c)`, `captureWallet(...)`, `verifyWalletSignerMatch(...)`. Plus shared denial helpers: `denialReasonStatus`, `denialReasonToBody`, `buildSignerMismatchBody`, `buildContactSupportNextSteps`, `verificationAgentInstructions`, `isFixableDenial`, `FIXABLE_DENIAL_REASONS`. |
-| `/payment` | `networks`, `USDC`, `rails` registries; `paymentDirective`, `buildPaymentDirective`, `wwwAuthenticateHeader`, `paymentRequiredHeader`, `aliasAmountFields` (v1↔v2 amount field shim — emits both `amount` and `maxAmountRequired` so v1-only x402 parsers like Coinbase awal can read v2 bodies), `settlementOverrideHeader`, `dispatchSettlementByNetwork`, `extractPaymentSigner` (returns `{address, network}`); `createX402Server`, `createMppxServer`; drop-in x402 helpers: `validateX402NetworkConfig` (boot-time guard), `verifyX402Request` (parse + validate inbound X-Payment), `processX402Settle` (verify-then-settle with one call), `classifyX402SettleResult` (maps the tagged settle result to a recommended HTTP status / code / nextSteps so merchants get a controlled envelope without coupling to facilitator-specific error text). |
-| `/discovery` | `isDiscoveryProbeRequest`, `buildDiscoveryProbeResponse` (with optional `x402Sample` for x402-aware crawlers — `awal x402 details` etc.), `sampleX402AcceptForNetwork` (USDC sample-accept builder for known CAIP-2 networks), `buildWellKnownMpp`, `buildLlmsTxt` + `llmsTxtIdentitySection` + `llmsTxtPaymentSection` (compact + verbose modes), `buildSkillMd` (Claude-Skill-compatible `/skill.md` agent-discovery manifest — strictly agent-facing data only, no internal posture), `agentscoreOpenApiSnippets`, `createBazaarDiscovery`, `noindexNonDiscoveryPaths` (Hono middleware that emits `X-Robots-Tag: noindex` on every path except the agent-discovery surfaces — defaults cover `/openapi.json`, `/llms.txt`, `/skill.md`, `/.well-known/{mpp.json,agent-card.json,ucp}`, `/favicon.{png,ico}`; pure helpers `isDiscoveryPath` + `defaultDiscoveryPaths` for non-Hono frameworks). |
-| `/challenge` | `build402Body`, `buildAcceptedMethods`, `buildIdentityMetadata`, `buildHowToPay`, `buildAgentInstructions` (auto-emits per-rail `compatible_clients` — smoke-verified CLIs the agent should use; vendor override supported), `buildPricingBlock`, `firstEncounterAgentMemory`, `OrderReceipt`; `respond402` — drop-in 402 emit that preserves mppx's `WWW-Authenticate` and layers x402's `PAYMENT-REQUIRED`. `buildValidationError` — structured 4xx body builder (`{error: {code, message}, required_fields?, example_body?, next_steps?, ...extra}`) so vendors compose body shapes by name instead of inlining at every validation site. |
+| `/payment` | `networks`, `USDC`, `rails` registries; `paymentDirective`, `buildPaymentDirective`, `wwwAuthenticateHeader`, `paymentRequiredHeader`, `aliasAmountFields` (v1↔v2 amount field shim: emits both `amount` and `maxAmountRequired` so v1-only x402 parsers like Coinbase awal can read v2 bodies), `settlementOverrideHeader`, `dispatchSettlementByNetwork`, `extractPaymentSigner` (returns `{address, network}`); `createX402Server`, `createMppxServer`; drop-in x402 helpers: `validateX402NetworkConfig` (boot-time guard), `verifyX402Request` (parse + validate inbound X-Payment), `processX402Settle` (verify-then-settle with one call), `classifyX402SettleResult` (maps the tagged settle result to a recommended HTTP status / code / nextSteps so merchants get a controlled envelope without coupling to facilitator-specific error text). |
+| `/discovery` | `isDiscoveryProbeRequest`, `buildDiscoveryProbeResponse` (with optional `x402Sample` for x402-aware crawlers, e.g. `awal x402 details`), `sampleX402AcceptForNetwork` (USDC sample-accept builder for known CAIP-2 networks), `buildWellKnownMpp`, `buildLlmsTxt` + `llmsTxtIdentitySection` + `llmsTxtPaymentSection` (compact + verbose modes), `buildSkillMd` (Claude-Skill-compatible `/skill.md` agent-discovery manifest; strictly agent-facing data only, no internal posture), `agentscoreOpenApiSnippets`, `createBazaarDiscovery`, `noindexNonDiscoveryPaths` (Hono middleware that emits `X-Robots-Tag: noindex` on every path except the agent-discovery surfaces; defaults cover `/openapi.json`, `/llms.txt`, `/skill.md`, `/.well-known/{mpp.json,agent-card.json,ucp,jwks.json}`, `/favicon.{png,ico}`; pure helpers `isDiscoveryPath` + `defaultDiscoveryPaths` for non-Hono frameworks). |
+| `/challenge` | `build402Body`, `buildAcceptedMethods`, `buildIdentityMetadata`, `buildHowToPay`, `buildAgentInstructions` (auto-emits per-rail `compatible_clients`: smoke-verified CLIs the agent should use; vendor override supported), `buildPricingBlock`, `firstEncounterAgentMemory`, `OrderReceipt`; `respond402`, a drop-in 402 emit that preserves mppx's `WWW-Authenticate` and layers x402's `PAYMENT-REQUIRED`. `buildValidationError`: structured 4xx body builder (`{error: {code, message}, required_fields?, example_body?, next_steps?, ...extra}`) so vendors compose body shapes by name instead of inlining at every validation site. |
 | `/stripe-multichain` | `createMultichainPaymentIntent`, `getDepositAddress`, `simulateCryptoDeposit`, `createMppxStripe`; `createPiCache` (TTL'd PI / deposit-address cache, Redis-backed when `redisUrl` set, in-memory otherwise), `simulateDepositIfTestMode` (gates on `sk_test_` and looks up the PI for you), `STRIPE_TEST_TX_HASH_SUCCESS` / `STRIPE_TEST_TX_HASH_FAILED` constants. Peer dep on `stripe`. |
-| `/api` | Everything from `@agent-score/sdk` re-exported in one place: `AgentScore` + `AgentScoreError`, `AGENTSCORE_TEST_ADDRESSES` + `isAgentScoreTestAddress`. **Don't add `@agent-score/sdk` as a separate dep** — the two can drift versions and cause subtle type mismatches. |
+| `/api` | Everything from `@agent-score/sdk` re-exported in one place: `AgentScore` + `AgentScoreError`, `AGENTSCORE_TEST_ADDRESSES` + `isAgentScoreTestAddress`. **Don't add `@agent-score/sdk` as a separate dep**; the two can drift versions and cause subtle type mismatches. |
 
 ## Quick start
 
@@ -53,7 +53,7 @@ const _gate = agentscoreGate({
   createSessionOnMissing: { apiKey: process.env.AGENTSCORE_API_KEY!, context: "wine-purchase" },
 });
 
-// Run the gate CONDITIONALLY — only when a payment credential is already attached.
+// Run the gate CONDITIONALLY: only when a payment credential is already attached.
 // Anonymous discovery (no payment header) flows through to the handler so any spec-
 // compliant x402 wallet can read the 402 challenge with rails + pricing without first
 // proving identity. Identity is verified at settle time on the retry leg.
@@ -95,10 +95,10 @@ const directives = [
 ];
 const wwwAuth = wwwAuthenticateHeader(directives);
 
-// Recover the on-chain signer from the inbound credential — returns {address, network}.
+// Recover the on-chain signer from the inbound credential; returns {address, network}.
 // Covers x402 EIP-3009 (EVM `from` address), Tempo MPP (`did:pkh:eip155` source),
 // and Solana MPP `solana/charge` (via `did:pkh:solana` source when set, else by
-// decoding the credential's signed-tx payload — `@solana/kit` optional peer).
+// decoding the credential's signed-tx payload; `@solana/kit` optional peer).
 const signer = await extractPaymentSigner(req, req.headers.get("x-payment") ?? undefined);
 ```
 
@@ -117,7 +117,7 @@ const mppx = await createMppxServer({
     tempo: { recipient: process.env.TEMPO_RECIPIENT! },
     solana: {
       recipient: process.env.SOLANA_RECIPIENT!,
-      // Optional fee sponsor — pass any `TransactionPartialSigner` from `@solana/kit`.
+      // Optional fee sponsor: pass any `TransactionPartialSigner` from `@solana/kit`.
       // signer: solanaFeePayerSigner,
     },
     stripe: { profileId: process.env.STRIPE_PROFILE_ID!, secretKey: process.env.STRIPE_SECRET_KEY! },
@@ -170,7 +170,7 @@ const responseBody = build402Body({
 ```typescript
 import { buildIdempotencyKey, buildPaymentHeaders } from "@agent-score/commerce/payment";
 
-// Stable per-payment key — Stripe PI id wins, falls back to pi-{orderId}-{amountCents}.
+// Stable per-payment key: Stripe PI id wins, falls back to pi-{orderId}-{amountCents}.
 const idempotencyKey = buildIdempotencyKey({ paymentIntentId, orderId, amountCents });
 
 // One-call WWW-Authenticate + PAYMENT-REQUIRED bundle from a single rails declaration.
@@ -190,16 +190,62 @@ return new Response(JSON.stringify(responseBody), { status: 402, headers });
 ### Identity publishing (cross-vendor standards)
 
 ```typescript
-import { buildA2AAgentCard, buildUCPProfile } from "@agent-score/commerce";
+import { buildA2AAgentCard, buildUCPProfile, ucpA2AExtension } from "@agent-score/commerce";
+
+// Google A2A v1.0 Signed Agent Card; publish at /.well-known/agent-card.json.
+// Per UCP §A2A binding, the card MUST declare the canonical UCP extension URI;
+// pass `ucpA2AExtension()` with empty capabilities until you bind formal UCP
+// capabilities (dev.ucp.shopping.checkout, etc.).
+const card = buildA2AAgentCard({ name, url, capabilities, extensions: [ucpA2AExtension()], data: assess });
+
+// Google Universal Commerce Protocol; publish at /.well-known/ucp
+// Output shape: { ucp: { version, services, capabilities, payment_handlers,
+// name?, supported_versions? }, signing_keys: [...], signature?: "..." }
+// — services / capabilities / payment_handlers are MAPS keyed by reverse-DNS
+// service / capability / handler name (UCP spec §3 + §6).
+const profile = buildUCPProfile({
+  name,
+  services: {
+    'dev.ucp.shopping': [
+      { version: '2026-04-08', spec: 'https://ucp.dev/2026-04-08/specification/overview',
+        transport: 'mcp', endpoint: 'https://merchant.example/api/ucp/mcp',
+        schema: 'https://ucp.dev/services/shopping/openrpc.json' },
+    ],
+  },
+  payment_handlers: {
+    'sh.agentscore.payment.tempo': [{
+      id: 'tempo', version: '2026-04-08',
+      spec: 'https://agentscore.sh/specification/payment-handlers/tempo',
+      schema: 'https://agentscore.sh/schemas/payment-handlers/tempo.json',
+      config: { recipient: TEMPO_ADDR },
+    }],
+  },
+  signing_keys, data: assess,
+});
+```
+
+UCP §6 doesn't mandate profile-body JWS signing; production UCP merchants commonly ship unsigned. AgentScore's `agentscore-profile+jws` is a vendor extension for trust-mode verifiers (regulated-commerce, AP2-aware) that opt into auditable profiles. Sign + verify via the optional `jose` peer dep (tested against jose v6.x; pin `jose@^6`):
 
-// Google A2A v1.0 Signed Agent Card — publish at /.well-known/agent-card.json
-const card = buildA2AAgentCard({ name, url, capabilities, data: assess });
+```typescript
+import { buildJWKSResponse, generateUCPSigningKey, signUCPProfile, verifyUCPProfile, UCPVerificationError } from "@agent-score/commerce";
 
-// Google Universal Commerce Protocol — publish at /.well-known/ucp
-const profile = buildUCPProfile({ name, services, payment_handlers, signing_keys, data: assess });
+const { privateKey, publicJWK } = await generateUCPSigningKey({ kid: "merchant-2026-05" });
+const profile = buildUCPProfile({ name, services, payment_handlers, signing_keys: [publicJWK] });
+const signed = await signUCPProfile(profile, { signingKey: privateKey, kid: publicJWK.kid, alg: "EdDSA" });
+const jwks = buildJWKSResponse([publicJWK]);
 ```
 
-ACP (Stripe + OpenAI Agentic Commerce Protocol) is a transactional checkout protocol with no identity-publishing surface — ACP merchants integrate via the existing `build402Body` + `buildPaymentHeaders` + Stripe SPT rail.
+`verifyUCPProfile` enforces the JWS protected header `typ: "agentscore-profile+jws"` (vendor-namespaced; UCP §6 does not define a profile-as-JWS typ), restricts `alg` to `EdDSA` / `ES256`, requires a `kid`, rejects duplicate kids in the JWKS, and compares the canonical body bytes against the JWS payload to catch swap-after-sign tampering. Failures throw `UCPVerificationError` with a discriminated `code` (`no_signature` / `missing_kid` / `kid_not_found` / `duplicate_kid` / `unsupported_alg` / `wrong_typ` / `signature_invalid` / `body_mismatch` / `malformed_jws` / `malformed_jwks` / `unusable_key` / `unrecognized_critical_header`). `malformed_jwks` covers a JWKS argument that isn't a `{ keys: [...] }` document. `unusable_key` covers a matched JWK whose `use` is not `sig` (e.g. `enc`). `unrecognized_critical_header` covers a JWS whose `crit` header lists an extension the verifier doesn't understand (RFC 7515 §4.1.11).
+
+`signUCPProfile` rejects profiles containing non-integer `Number` values and integers outside `Number.MAX_SAFE_INTEGER` (cross-language float canonicalization is not stable; values past 2^53 lose precision when JS verifiers reparse the canonical body). Use decimal strings for monetary or fractional fields and for any integer that may exceed the safe range.
+
+**Persisting the private JWK.** Mint once via `generateUCPSigningKey()`, export with `jose.exportJWK(privateKey)` to get the JSON-serializable form, store in your secret manager (AWS Secrets Manager, GCP Secret Manager, etc.). On each container start, read the secret, `jose.importJWK(jwk, alg)` to re-hydrate. Remote-signer flows (KMS-backed asymmetric keys) require an adapter layer that exposes a `KeyLike` jose can call; `jose` does not natively wrap KMS endpoints.
+
+**Key rotation.** Mint a new key with a new `kid`, add the public JWK to your JWKS endpoint alongside the old one, then sign new profiles with the new key. Verifiers fetching the JWKS pick up both; any in-flight envelopes signed by the old key still verify until you remove that JWK from the JWKS. Set `Cache-Control: public, max-age=300` on `/.well-known/jwks.json` and wait at least that long after publishing the new key before removing the old JWK.
+
+**Inline JWK in the profile vs separate JWKS endpoint.** UCP §6 mandates the separate `/.well-known/jwks.json` endpoint as the canonical trust source. The profile's `signing_keys[]` is informational; verifiers MUST resolve the kid against the JWKS (not the embedded copy), to prevent a swap-after-sign attack where a hostile actor replaces the inline key with their own.
+
+ACP (Stripe + OpenAI Agentic Commerce Protocol) is a transactional checkout protocol with no identity-publishing surface; ACP merchants integrate via the existing `build402Body` + `buildPaymentHeaders` + Stripe SPT rail.
 
 ### Stripe multichain (peer dep on `stripe`)
 
@@ -222,8 +268,8 @@ const result = await createMultichainPaymentIntent({
 const baseAddress = getDepositAddress(result, "base");
 const solanaAddress = getDepositAddress(result, "solana");
 
-// PI / deposit-address cache. Redis-backed when REDIS_URL is set, in-memory otherwise —
-// multi-task deployments need Redis so a deposit lands on whichever task settles it.
+// PI / deposit-address cache. Redis-backed when REDIS_URL is set, in-memory otherwise.
+// Multi-task deployments need Redis so a deposit lands on whichever task settles it.
 const piCache = createPiCache({ redisUrl: process.env.REDIS_URL });
 for (const addr of Object.values(result.depositAddresses)) {
   await piCache.cacheAddress(addr);
@@ -231,7 +277,7 @@ for (const addr of Object.values(result.depositAddresses)) {
 }
 piCache.cacheNetworkAddresses(result.paymentIntentId, result.depositAddresses);
 
-// Testnet helper — gates on sk_test_ and looks up the PI for you. No-op on live keys.
+// Testnet helper: gates on sk_test_ and looks up the PI for you. No-op on live keys.
 await simulateDepositIfTestMode({
   getPaymentIntentId: piCache.getPaymentIntentId,
   depositAddress: baseAddress!,
@@ -266,11 +312,11 @@ import {
 } from "@agent-score/commerce/payment";
 import { respond402 } from "@agent-score/commerce/challenge";
 
-// Boot-time guard — raises if a configured network isn't supported.
+// Boot-time guard: raises if a configured network isn't supported.
 validateX402NetworkConfig({ baseNetwork: X402_BASE });
 
 app.post("/purchase", async (c) => {
-  // Path A — agent presented an x402 X-Payment header
+  // Path A: agent presented an x402 X-Payment header
   if (c.req.header("payment-signature") || c.req.header("x-payment")) {
     const verified = await verifyX402Request({
       request: c.req.raw,
@@ -298,7 +344,7 @@ app.post("/purchase", async (c) => {
     return c.json({ ok: true }, { headers });
   }
 
-  // Path B — cold call (or Authorization: Payment for mppx). After mppx.compose() returns 402,
+  // Path B: cold call (or Authorization: Payment for mppx). After mppx.compose() returns 402,
   // respond402 PRESERVES mppx's WWW-Authenticate and ADDS x402's PAYMENT-REQUIRED.
   return respond402({
     mppxChallenge: mppxResult.challenge as Response,
@@ -322,22 +368,22 @@ app.use('/purchase', gate);
 app.post('/purchase', async (c) => {
   const { degraded, infraReason } = getGateDegradedState(c);
   if (degraded) {
-    // Compliance was NOT enforced this request — log/alert/refund-async/etc.
+    // Compliance was NOT enforced this request; log/alert/refund-async/etc.
     console.warn(`[gate] degraded: ${infraReason}`);
   }
   // ...rest of handler
 });
 ```
 
-When `failOpen: true` AND the failure is infra-shape, the gate carries `degraded: true` + `infraReason: 'quota_exceeded' | 'api_error' | 'network_timeout'` so merchants can log/alert without parsing console output. **Compliance denials (sanctions, age, jurisdiction, signer-mismatch) still deny regardless of `failOpen`** — `failOpen` only covers "AgentScore couldn't tell us," never "AgentScore said no."
+When `failOpen: true` AND the failure is infra-shape, the gate carries `degraded: true` + `infraReason: 'quota_exceeded' | 'api_error' | 'network_timeout'` so merchants can log/alert without parsing console output. **Compliance denials (sanctions, age, jurisdiction, signer-mismatch) still deny regardless of `failOpen`**; `failOpen` only covers "AgentScore couldn't tell us," never "AgentScore said no."
 
-For regulated commerce (alcohol, age-gated, sanctioned-jurisdiction-relevant) keep the default `failOpen: false` — outage is the correct posture; bypassing compliance on infra failure is a compliance gap. For low-stakes commerce or high-uptime SLAs, opt in and use the `degraded` flag as the audit trail.
+For regulated commerce (alcohol, age-gated, sanctioned-jurisdiction-relevant) keep the default `failOpen: false`: outage is the correct posture, and bypassing compliance on infra failure is a compliance gap. For low-stakes commerce or high-uptime SLAs, opt in and use the `degraded` flag as the audit trail.
 
 The `getGateDegradedState` helper is exported by every framework adapter (Hono, Express, Fastify, Next.js, Web Fetch). For `withAgentScoreGate` (Next.js / Web Fetch), the `degraded` + `infraReason` fields land directly on the `gate` object passed to your handler.
 
 ## Examples
 
-The [examples/](./examples) directory has 7 runnable single-file Hono apps covering common merchant scenarios — copy-paste templates, not frameworks. See [examples/README.md](./examples/README.md) for the full table.
+The [examples/](./examples) directory has 8 runnable single-file Hono apps covering common merchant scenarios; copy-paste templates, not frameworks. See [examples/README.md](./examples/README.md) for the full table.
 
 ## Vendor profile examples
 
@@ -348,11 +394,11 @@ The [examples/](./examples) directory has 7 runnable single-file Hono apps cover
 | Tempo-only merchant | `/payment` | `npm install @agent-score/commerce mppx` |
 | Crypto-native, no Stripe | `/identity/*`, `/payment`, `/challenge` | `npm install @agent-score/commerce @x402/core` |
 
-The SDK is genuinely a toolkit — vendors compose only what they need. Helpers don't bundle assumptions about which rails or protocols you support, and don't recommend one rail over another.
+The SDK is genuinely a toolkit; vendors compose only what they need. Helpers don't bundle assumptions about which rails or protocols you support, and don't recommend one rail over another.
 
 ## Stability
 
-`@agent-score/commerce@1.0.0` ships with the full merchant SDK surface stable. Helpers are protocol translations + configurable opinions — most evolution is additive (new optional params, new helpers, new networks/rails). Major bumps are reserved for genuine protocol-mapping bugs.
+The full merchant SDK surface is stable. Helpers are protocol translations + configurable opinions; most evolution is additive (new optional params, new helpers, new networks/rails). Major bumps are reserved for genuine protocol-mapping bugs.
 
 ## Documentation
 

package/dist/core.js

@@ -220,7 +220,7 @@ function createAgentScoreCore(options) {
   } = options;
   const baseUrl = stripTrailingSlashes(rawBaseUrl);
   const agentMemoryHint = buildAgentMemoryHint();
-  const defaultUa = `@agent-score/commerce@${"1.3.3"}`;
+  const defaultUa = `@agent-score/commerce@${"1.5.0"}`;
   const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;
   const sdk = new import_sdk.AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });
   const sessionSdkCache = /* @__PURE__ */ new Map();

package/dist/core.mjs

@@ -202,7 +202,7 @@ function createAgentScoreCore(options) {
   } = options;
   const baseUrl = stripTrailingSlashes(rawBaseUrl);
   const agentMemoryHint = buildAgentMemoryHint();
-  const defaultUa = `@agent-score/commerce@${"1.3.3"}`;
+  const defaultUa = `@agent-score/commerce@${"1.5.0"}`;
   const userAgentHeader = userAgent ? `${userAgent} (${defaultUa})` : defaultUa;
   const sdk = new AgentScore({ apiKey, baseUrl, userAgent: userAgentHeader });
   const sessionSdkCache = /* @__PURE__ */ new Map();

package/dist/discovery/index.js

@@ -607,6 +607,7 @@ var defaultDiscoveryPaths = /* @__PURE__ */ new Set([
   "/.well-known/x402",
   "/.well-known/agent-card.json",
   "/.well-known/ucp",
+  "/.well-known/jwks.json",
   "/favicon.png",
   "/favicon.ico"
 ]);