I'm trying to figure out if I can create Service Accounts in Kanidm and get a JWT that will work with pREST. pREST can be configured to use a .well-known URL to pull a JWK. This would allow me to give a long-lived service account API key to each service and keep token generation out of my services.

It looks like not yet! But they seem to be aware of this use case.