Migration
=========

Recommended migration flow:

1. Start writing with current compact payload formats and active key ids.
2. Keep old keys in key rings for read-path compatibility.
3. Re-encrypt legacy strings/files/envelopes to active key ids.
4. Remove retired keys after successful migration and verification.

JWT migration notes:

- Enforce strict validation incrementally with result APIs.
- Require ``kid`` when using key-set verification mode.