v0.4.0

Released: 2026-05-01 Tag: v0.4.0 Type: Minor — new feature (RS256 keypair security) PR: #37 — feat/issue-30-rs256-keypair-security

What Changed

config — RS256 JWT config model

Added RS256 mode to JWTConfig:

security:
  auth:
    jwt:
      algorithm: RS256
      issuer: my-service
      ttl-minutes: 60
      rs256-key-source: generated   # generated | public-pem | private-pem
      rs256-key-id: my-key-id
      rs256-public-key-pem: |
        -----BEGIN PUBLIC KEY-----
        ...

security/keys — RSA resolver constructors

• keys.NewRSAResolver(privateKey, keyID) — signs and verifies.
• keys.NewRSAPublicKeyResolver(publicKey, keyID) — verify only.

app — Config-based RS256 wiring

UseServerSecurityFromConfig() now supports RS256 bootstrap from config.

Migration Notes (HS256 → RS256)

1. Set algorithm: RS256 in JWT config.
2. Add rs256-key-source, rs256-key-id, and relevant PEM fields.
3. Remove secret (not used in RS256 mode).
4. Use app.UseServerSecurityFromConfig() or build NewRSAPublicKeyResolver manually.

Compatibility

• HS256 path unchanged and backward-compatible.
• algorithm defaults to HS256 when omitted.