The benefit of using the wireguard keys to sign the JSON messages is that you don't need to have another key or key type. You need to secure this communication some way because it has to at least initially start outside of the  tunnel, so it's best to keep it simple and common rather than need to trust multiple keys.

andy

bitcoin

Lightning-over-Wireguard

brh28

Interesting, I hadn't thought about using wireguard keys for signing the token, though I'm not sure what exactly is gained by doing so.

I mean no one else knows the preimage *and* holds the token: both are required by the server. 

You're right, the server has to manage wireguard sessions so it can't be completely stateless, but my goal is to make the server as simple as possible. Both approaches should work, but when considering the trade-offs, I like pushing the logic and control to the client.