Idea Summary
The current APEX_JWT.ENCODE/DECODE functions require the signature key to be passed in as a raw parameter. This works fine but it also means that the private key signature is stored somewhere and probably unprotected. Now that Web Credentials can store key pairs, could the APEX_JWT.ENCODE/DECODE functions be enhanced by adding a WEB_CREDENTIAL_ID parameter that would then use the private key stored against the particular web credential.

Use Case
When connecting to APIs that use JWT to obtain Bearer or Access tokens, developer would not need to see or store the RSA Private key as plain text, it would be protected as a web credential.

Preferred Solution (Optional)
Extend the parameters of the APEX_JWT.ENCODE/DECODE functions with an optional parameter of p_web_credential_id.  That would be used, if provided, to supply the private key to sign or verify signature of the token.