This is more of a cosmetic/logging issue than a true productivity impacting issue.

When calling jwt.decode, if jwt.decode fails to load the public key it references a private key PEM start marker. This seems to be because the code logic then tries to load private keys after the load of a public key fails. It would be a "nice to have" for it to reference the fact that it was trying to fail while loading a public key.

No explicit backend called out in the code, thus rsa_backend is used.

Full trace:

[ERROR] JWKError: No PEM start marker "b'-----BEGIN PRIVATE KEY-----'" found
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 14, in lambda_handler
responseBody = jwt.decode(token,pubkey,algorithms=['RS256'],audience=audience)
File "/var/task/jose/jwt.py", line 142, in decode
payload = jws.verify(token, key, algorithms, verify=verify_signature)
File "/var/task/jose/jws.py", line 73, in verify
_verify_signature(signing_input, header, signature, key, algorithms)
File "/var/task/jose/jws.py", line 261, in _verify_signature
if not _sig_matches_keys(keys, signing_input, signature, alg):
File "/var/task/jose/jws.py", line 208, in _sig_matches_keys
key = jwk.construct(key, alg)
File "/var/task/jose/jwk.py", line 79, in construct
return key_class(key_data, algorithm)
File "/var/task/jose/backends/rsa_backend.py", line 171, in init
raise JWKError(e)

I don't know if you figure out the solution, but this issue helps me a lot.