Currently, secrets are either hard coded in the config file or passed as environment variable. However, many platforms give the option to expose managed secrets as readonly files (ex: docker compose, kubernetes, systemd)
My suggestion is that secret values would also have a configuration that allows specifying the file path from witch to load the secret value. For example, the configuration file would have an option for jwt_secret_path in addition to jwt_secret. On startup, if the app detects that the jwt_secret_path value of a secret is defined, it would attempt to load the secret from the specified file and potentially fall back to the jwt_secret option.
Using secret as files also allows supporting secret rotation without app restart. The server could reload the secret files (or even the whole config) when receiving a SIGHUP.