Summary
The JWT-SVID specification recommends setting `typ: JWT` in the JOSE header of issued tokens. The current implementation omits the `typ` header entirely. While this is not a hard MUST, it reduces interoperability with verifiers that use `typ` to distinguish token types, and is inconsistent with the spec's guidance.
Location
JWT construction in `internal/service/credential.go` (or wherever the JWT header is assembled).
Fix
Add `"typ": "JWT"` to the JWT header at issuance time.
Reference
Summary
The JWT-SVID specification recommends setting `typ: JWT` in the JOSE header of issued tokens. The current implementation omits the `typ` header entirely. While this is not a hard MUST, it reduces interoperability with verifiers that use `typ` to distinguish token types, and is inconsistent with the spec's guidance.
Location
JWT construction in `internal/service/credential.go` (or wherever the JWT header is assembled).
Fix
Add `"typ": "JWT"` to the JWT header at issuance time.
Reference