diff --git a/ops/sso/kube/sso.libsonnet b/ops/sso/kube/sso.libsonnet
index 078c3964..26966bf2 100644
--- a/ops/sso/kube/sso.libsonnet
+++ b/ops/sso/kube/sso.libsonnet
@@ -8,7 +8,7 @@ local kube = import "../../../kube/kube.libsonnet";
 
     cfg:: {
         namespace: "sso",
-        image: "registry.k0.hswaw.net/informatic/sso-v2@sha256:3b277a8e2b3c3225d7da10aee37774266f9eb2aa536e7a390160f550b3556087",
+        image: "registry.k0.hswaw.net/informatic/sso-v2@sha256:1118effa697489028c3cd5a6786d3f94f16dbbe2810b1bf1b0f65ea15bac1914",
         domain: error "domain must be set",
         database: {
             host: error "database.host must be set",
@@ -33,6 +33,7 @@ local kube = import "../../../kube/kube.libsonnet";
                                 defaultMode: std.parseOctal("0600"),
                             },
                         },
+                        jwk: { secret: { secretName: "sso-jwk" } },
                         tlscopy: kube.EmptyDirVolume(),  # see initContainers_.secretCopy
                     },
                     securityContext: {
@@ -74,10 +75,17 @@ local kube = import "../../../kube/kube.libsonnet";
 
                                 LDAP_BIND_PASSWORD: { secretKeyRef: { name: "sso", key: "ldap_bind_password" } },
                                 SECRET_KEY: { secretKeyRef: { name: "sso", key: "secret_key" } },
-                                LOGGING_LEVEL: "DEBUG",
+                                LOGGING_LEVEL: "INFO",
+
+                                JWT_ALG: "RS256",
+                                JWT_EXP: "600",
+
+                                JWT_PUBLIC_KEYS: "/jwk/public.pem",
+                                JWT_PRIVATE_KEY: "/jwk/private.pem",
                             },
                             volumeMounts_: {
                                 tlscopy: { mountPath: "/tls" },
+                                jwk: { mountPath: "/jwk" },
                             },
                         },
                     },