Creates an HS256 KeyStore that resolves the verification key by kid.
Rotation (IH-9): when previousSecrets is non-empty, the keystore can
verify tokens signed by an older key whose kid is recorded in that
array. Issuance always uses the current secret/kid. Lookup is by
the JWT kid header — the keystore returns the matching key directly,
never trial-verifies across multiple keys, mirroring the asymmetric
previousKeys rotation path.
Creates an HS256 KeyStore that resolves the verification key by
kid.Rotation (IH-9): when
previousSecretsis non-empty, the keystore can verify tokens signed by an older key whosekidis recorded in that array. Issuance always uses the currentsecret/kid. Lookup is by the JWTkidheader — the keystore returns the matching key directly, never trial-verifies across multiple keys, mirroring the asymmetricpreviousKeysrotation path.