# Secure JWT Endpoints with Backend Token

**ID:** ADM-001
**Priority:** Critical
**Status:** Planned

## User Story
As a platform administrator, I want JWT-related endpoints to be secured with backend token validation so that only authorized services can access sensitive security operations.

## Acceptance Criteria
- [ ] Public key endpoint requires valid backend token
- [ ] JWT blocklist endpoint requires valid backend token
- [ ] Backend tokens are securely generated and distributed
- [ ] Token validation is performed on every request
- [ ] Invalid/missing token returns 401 Unauthorized
- [ ] Tokens can be rotated without service interruption
- [ ] Audit log for all backend token usage

## Technical Notes
- Two TODOs exist for backend token validation in JwtManager
- `getPublicKeyForValidation` and `pushOrGetJwtIdBlocklist` need protection
- Backend token should be separate from user JWT
- Consider service-to-service authentication pattern
- Environment variable for backend token configuration

## Related TODOs
- `ts/reception/classes.jwtmanager.ts:40` - `// TODO control backend token`
- `ts/reception/classes.jwtmanager.ts:52` - `// TODO control backend token`