--- a/mod_push2/mod_push2.lua	Tue Sep 19 21:39:14 2023 -0500
+++ b/mod_push2/mod_push2.lua	Wed Sep 20 23:05:29 2023 -0500
@@ -285,13 +285,14 @@
 		key = "-----BEGIN PRIVATE KEY-----\n"..key.."\n-----END PRIVATE KEY-----"
 	end
 
+	local public_key = pkey.new(key):getParameters().pub_key:toBinary()
 	local signer = jwt.new_signer(match.jwt_alg, key)
 	local payload = {}
 	for k, v in pairs(match.jwt_claims or {}) do
 		payload[k] = v
 	end
 	payload.sub = contact_uri
-	push_notification_payload:text_tag("jwt", signer(payload))
+	push_notification_payload:text_tag("jwt", signer(payload), { key = base64.encode(public_key) })
 end
 
 local function handle_notify_request(stanza, node, user_push_services, log_push_decline)

--- a/mod_push2/push2.markdown	Tue Sep 19 21:39:14 2023 -0500
+++ b/mod_push2/push2.markdown	Wed Sep 20 23:05:29 2023 -0500
@@ -105,7 +105,7 @@
         <encrypted xmlns="urn:xmpp:sce:rfc8291:0">
             <payload>Base64 encoded ciphertext</payload>
         </encrypted>
-        <jwt>the signed JWT, if present</jwt>
+        <jwt key="base64 encoded raw public key">the signed JWT, if present</jwt>
     </notification>
 </message>
 ```