Use PASERK identifiers for key identification

Decision

Use PASERK (PASETO Keys) identifiers in token footers to identify which key was used for token creation.

Rationale

• Secure hashing: PASERK IDs are cryptographic hashes of the key material, not the raw key
• Standard compliance: Official PASETO specification for key identification
• Rotation support: Allows validation of tokens created with deprecated/revoked keys
• No key leakage: Footer contains hash, not actual key material

Token footers contain PASERK identifiers enabling secure key lookup during validation. This supports the active → deprecated → revoked key lifecycle without invalidating tokens mid-rotation.