Add JWT endpoint for customer JWT verification

🔍 Problem Statement

As a developer integrating Pelcro authentication, I experience the inability to verify JWT tokens locally because Pelcro uses symmetric signing (HS256) and cannot share the secret key for security reasons. This results in mandatory API calls to Pelcro for every token verification, adding 100-500ms latency per authentication check, increased server load, and inability to verify tokens offline or at the edge.

💡 User Story

As a developer integrating Pelcro authentication, I want to retrieve Pelcro's public keys via a standard JWKS endpoint, so that I can verify customer JWT tokens locally without making API calls, reducing latency to <1ms and enabling offline/edge verification.

🎯 Definition of Done (DoD)

Acceptance Criteria

1. Given a valid JWKS endpoint URL, when a client requests GET /.well-known/jwks.json, then the response returns a valid JWKS containing the RS256 public key(s) in standard format.

2. Given a JWT issued after this feature deployment, when verified using the public key from the JWKS endpoint, then the signature validates successfully without calling any other Pelcro API.

3. Given a JWT issued before this feature deployment (HS256), when presented to authenticated endpoints, then the token is still accepted during the migration period (until existing tokens expire).

4. Given a new user login or token refresh, when a JWT is issued, then the token uses RS256 algorithm.