···253253 "redirect_uris": ["https://example.com/oauth/callback"],
254254 "scope": "atproto transition:generic",
255255 "token_endpoint_auth_method": "private_key_jwt",
256256+ "token_endpoint_auth_signing_alg": "ES256",
256257 "jwks_uri": "https://example.com/oauth-jwks.json"
257258}
258259```
259260260260-the `jwks_uri` should expose the public keys used to sign client assertions.
261261+the `jwks_uri` should expose the public keys used to sign client assertions. it should return a JSON
262262+Web Key Set (JWKS) document:
263263+264264+```json
265265+{
266266+ "keys": [
267267+ {
268268+ "kty": "EC",
269269+ "crv": "P-256",
270270+ "x": "base64url-encoded-x-coordinate",
271271+ "y": "base64url-encoded-y-coordinate",
272272+ "use": "sig",
273273+ "kid": "key-identifier",
274274+ "alg": "ES256"
275275+ }
276276+ ]
277277+}
278278+```
279279+280280+the public keys in the JWKS must correspond to the private keys your backend uses to sign client
281281+assertions. multiple keys can be listed to support key rotation.
261282262283## additional guide
263284