Sync documentation updates

Author: promptless[bot]

docs/code-examples/concepts/jwt.ts

@@ -124,12 +124,12 @@ const jwks = jose.createRemoteJWKSet(
   new URL('https://api.stack-auth.com/api/v1/projects/YOUR_PROJECT_ID/.well-known/jwks.json?include_anonymous=true&include_restricted=true')
 );
 
-// Restricted (non-anonymous) users use the same issuer as regular users,
-// so only two issuers are needed even though there are three audiences
+// All three user types have different issuers
 const { payload } = await jose.jwtVerify(token, jwks, {
   issuer: [
     'https://api.stack-auth.com/api/v1/projects/YOUR_PROJECT_ID',
     'https://api.stack-auth.com/api/v1/projects-anonymous-users/YOUR_PROJECT_ID',
+    'https://api.stack-auth.com/api/v1/projects-restricted-users/YOUR_PROJECT_ID',
   ],
   audience: ['YOUR_PROJECT_ID', 'YOUR_PROJECT_ID:anon', 'YOUR_PROJECT_ID:restricted'],
 });`,

docs/content/docs/(guides)/concepts/jwt.mdx

@@ -86,7 +86,7 @@ Anonymous user tokens have the same shape, but:
 
 Restricted user tokens (e.g., users who haven't verified their email when verification is required) have:
 
-- `iss` remains unchanged (same as regular users)
+- `iss` becomes `https://api.stack-auth.com/api/v1/projects-restricted-users/<project-id>`
 - `aud` becomes `<project-id>:restricted`
 - `is_restricted` is `true`
 - `restricted_reason` is `{ "type": "email_not_verified" }`