I imagine others have had this same question. Thanks for moving this to a public topic.
The keys available from the
/.well-known/jwks.json endpoint are the public keys for your tenant. This endpoint is standardized as part of the OAuth 2.0 framework.
If you are using an asymmetric signing algo like RS256, JWT tokens are signed with a private key (secret to the auth server) and applications consuming the tokens can verify the signature with a public key (available via the endpoint).
Applications consuming the tokens can use the /.well-known/jwks.json endpoint to dynamically request the public key that corresponds to the private key currently in use. This allows your application to always have access to an up-to-date public key, among other things.
If you want to dig in deeper, this blog post helps to demystify RS256 and JWKS:
Hope that clears things up!