The “kid” field has to be in a libtrust fingerprint compatible format. Such a format can be generated by following steps:
1) Take the DER encoded public key which the JWT token was signed against.
2) Create a SHA256 hash out of it and truncate to 240bits.
3) Split the result into 12 base32 encoded groups with : as delimiter.
Ex: "kid": "PYYO:TEWU:V7JH:26JV:AQTZ:LJC3:SXVJ:XGHA:34F2:2LAQ:ZRMK:Z7Q6"