# Joule Cloud · TLS certificate pins
# Published per RFC 7469 (Public Key Pinning Extension for HTTP).
# Format: <host>: sha256=<base64-spki-fingerprint>
#
# Rotations are announced 14 days in advance at:
#   https://docs.greenjoules.cloud/changelog/
# The "backup" line is the next-in-rotation public key, valid alongside "current" for the
# pre-rotation window so client validators never see a gap.

# Updated: 2026-06-23 — initial publication
# Reach out via security@greenjoules.cloud for signed advance notice of rotations.

api.greenjoules.cloud:
  current = sha256/PLACEHOLDER-fingerprint-of-current-leaf-spki=
  backup  = sha256/PLACEHOLDER-fingerprint-of-rotation-spki=

portal.greenjoules.cloud:
  current = sha256/PLACEHOLDER-fingerprint-of-current-leaf-spki=
  backup  = sha256/PLACEHOLDER-fingerprint-of-rotation-spki=

console.greenjoules.cloud:
  current = sha256/PLACEHOLDER-fingerprint-of-current-leaf-spki=
  backup  = sha256/PLACEHOLDER-fingerprint-of-rotation-spki=

# Real fingerprints land here at v1 GA. Until then, default TLS validation
# (Cloudflare-issued certs via Let's Encrypt or DigiCert) is the live trust path.