diff --git a/README.md b/README.md
index 370715a..ef1c93a 100644
--- a/README.md
+++ b/README.md
@@ -19,13 +19,12 @@ Serverless web content with GitHub Actions pushing changes to S3.
 # Static OIDC issuer
 
 `makeitwork.cloud/oidc/` hosts public static Kubernetes ServiceAccount OIDC
-discovery metadata for future AWS STS web-identity authentication from the k3s
-cluster.
+discovery metadata for AWS STS web-identity authentication from the k3s cluster.
 
 - Issuer: `https://makeitwork.cloud/oidc`
 - Discovery: `https://makeitwork.cloud/oidc/.well-known/openid-configuration`
 - JWKS: `https://makeitwork.cloud/oidc/openid/v1/jwks`
 
-The JWKS file must contain only public key material for the k3s ServiceAccount
+The JWKS file contains only public key material from the k3s ServiceAccount
 token signing key. Never commit the private signing key, AWS credentials, KMS key
 IDs, kubeconfigs, or decrypted SOPS values here.
diff --git a/makeitwork.cloud/oidc/openid/v1/jwks b/makeitwork.cloud/oidc/openid/v1/jwks
index faf87ec..5122b8a 100644
--- a/makeitwork.cloud/oidc/openid/v1/jwks
+++ b/makeitwork.cloud/oidc/openid/v1/jwks
@@ -1,3 +1,12 @@
 {
-  "keys": []
+  "keys": [
+    {
+      "alg": "RS256",
+      "e": "AQAB",
+      "kid": "INImbqvzmPK6jGaGaRRsZM2PXN8d2sU-oFdDcxl3-1A",
+      "kty": "RSA",
+      "n": "v5ROv3NlaVWXMBDyabdk8jAx2Quizlg1rFPSgcxMp3GubFRWUKK2wA2hSNaKTbCeyg8L3lqzYP9IJEM3YXRafWNlEBiyaotY6XSV9NaIT5tbJ30Ksb87qOuGzHL1NCRm60jOSXF8JabPyCEFim-3gLB2re3o0FC4En5TGDPpEMYZmy81YBWfdWDXcYDtnChs5WKiArHxas_6JwEiEpmXydSeFvu7NhDPqb4zbGFzdSWlwyvWkRDKMSSgXrfxdlDQ1PQftdfXp6S9j4zi39tffgtaRgOPm61J8gJMXKfeBkKfcRicYJJNcx0YkXFleO1-fg22Mmll63RGl1xIx5S_jw",
+      "use": "sig"
+    }
+  ]
 }