The entire point of this is that the complexity is encapsulated on the signing side - not the verifier. So it's more that you would split the keys between systems you control - say the reverse proxy and the application server.
Or one that's checked into your version control (representing that it is your company's code that's running) and one that lives on the server (representing that it is a server your company controls).
Or to take your example - a key in the repo, a key from the dev, and a key from the build server.
More like a failure on TechCrunch. There is an implied agreement and violating it will result in a flat refusal to talk outside of prepared press releases.
This isn't good journalism and should not be celebrated.
The H1-B visa is intended for bringing specific technical expertise that does not exist in the US for a set period of time. This is why one of the requirements is that you must have interviewed US persons first. Its the same reason it's a nonimmigration visa.
The rampant abuse of the visa has a remedy - criminal charges against the HR directors of any company who is found to have committed fraud, and capping the number of visas per company (setting up many shell companies is a strong signal that fraud is being committed).
If an H1-B worker can't negotiate on a global level for their expertise - they should not be on that visa.
You are writing this as if security was a newly invented thing. Having done systems level security development for 12 years, anything that can be produced maliciously will be. By using JSON, you've invented a new vulnerability class for malicious deserialization attacks.
Actually, not new. Earliest CVE I found was from 2017, which feels a decade later than it should be. I guess no one thought of pushing JSON over trusted interfaces, and probably for good reason.
The danger I see is that JSON has lots of edge behavior around deserialization, and some languages will deserialize a 100 digit number differently. If the main benefit is removing the broker and the need for rate limiting - it could have been accomplished without using JSON.
1. They're low stakes to get wrong.
2. The most common is MCPs or similar ai-tooling.
3. Making them look good takes time and effort still. It's a multiplier, not a replacement.
4. Quality and maintainability require investment. I had to restart an agentic project several times because it painted itself into a corner.