Per the docker protocol that is implemented (https://docs.docker.com/registry/spec/auth/jwt/), I see there is a transformation done on kid claim that's valid per protocol.
My question is how should client go about verification of token when there exists multiple signing keys in a realm and the kid published through certs endpoint is different than the one on token?