Returns the broker's public keys (RFC 7517) used to verify interactive (Jupyter) session tokens by kid. Intentionally UNAUTHENTICATED — it exposes only public key material; the per-node auth-proxy sidecars fetch it to verify broker-signed tokens.