{
  "key_type": "Ed25519",
  "purpose": "Backward-compatible alias. As of Day 0 prep (2026-05-24) the single-key role has been split into three distinct keys: rankigi-passport-key.json (agent passport JWT signing), rankigi-closure-key.json (server-attested closure events), and rankigi-witness-key.json (CCAP Witness of Last Resort, pending Day 1 generation). Existing verifiers that fetch rankigi-public-key.json continue to work for passport and closure verification.",
  "public_key_pem": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAXoEmtOmourUMaDFTCyU2Z2HY9YJLQH+Sv8q+EEdha9Y=\n-----END PUBLIC KEY-----\n",
  "public_key_b64_spki": "MCowBQYDK2VwAyEAXoEmtOmourUMaDFTCyU2Z2HY9YJLQH+Sv8q+EEdha9Y=",
  "fingerprint": "sha256:3ca5f8c2f41375be3b5e71212eb55ff42e9c428984e306602036e19381ee2031",
  "fingerprint_method": "sha256(base64_spki) hex, lowercase",
  "issued_at": "2026-03-26T08:02:05Z",
  "usage": [
    "RANKIGI passport JWT signing",
    "Server-attested chain closure events",
    "Intent document attestation"
  ],
  "verify_with": "python3 verify.py bundle.json --pubkey rankigi-public-key.pem",
  "pem_url": "https://rankigi.com/.well-known/rankigi-public-key.pem",
  "contact": "security@rankigi.com",
  "rotation_policy": "Key rotation announced in advance at https://rankigi.com/proof and via the chain itself as a signed rotation event"
}