You mentioned "JWT requires you to properly store and distribute private / public keys"
Your Auth Server signs JWT with its private key (that needs not to be distributed).
The AuthServer Public Key (for validating the signature) can be retrieved by the URL, no need to distribute/store it.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
You mentioned "JWT requires you to properly store and distribute private / public keys"
Your Auth Server signs JWT with its private key (that needs not to be distributed).
The AuthServer Public Key (for validating the signature) can be retrieved by the URL, no need to distribute/store it.