lexik_jwt_authentication:
    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
    pass_phrase: '%env(JWT_PASSPHRASE)%'
    token_ttl: 1800  # 30 minutes (Story 1.4 requirement)
    # Use 'username' claim for user identification (email, set by Lexik from getUserIdentifier())
    # This allows loadUserByIdentifier() to receive the email correctly
    user_id_claim: username
    clock_skew: 0

    # Automatically extracts the token from cookies
    token_extractors:
        authorization_header:
            enabled: true
            prefix: Bearer
            name: Authorization
        cookie:
            enabled: true
            name: BEARER