Caching Differences between Development and Production Tenants

habikki · September 15, 2025, 6:05pm

I have a development tenant that I’m using to build out what will be going to production and I’ve noticed something I wanted to clarify before running into the issue later.

I’ve noticed that GET /.well-known/openid-configuration off a custom domain is only cached for 15 seconds.

HTTP/2 200 
date: Mon, 15 Sep 2025 17:52:22 GMT
content-type: application/json; charset=utf-8
content-encoding: br
cf-ray: 97f9fa3b2be1e9e5-LAX
cf-cache-status: EXPIRED
access-control-allow-origin: *
cache-control: public, max-age=15, stale-while-revalidate=15, stale-if-error=86400
last-modified: Mon, 15 Sep 2025 17:52:22 GMT
strict-transport-security: max-age=31536000; includeSubDomains
vary: Accept-Encoding, Origin, Accept-Encoding
access-control-allow-credentials: false
access-control-expose-headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, Retry-After, DPoP-Nonce, WWW-Authenticate
x-auth0-l: 0.041
x-auth0-requestid: 7175fec565ed0872587f
x-cache-status: BYPASS
x-content-type-options: nosniff
x-ratelimit-limit: 300
x-ratelimit-remaining: 299
x-ratelimit-reset: 1757958803
server: cloudflare
alt-svc: h3=":443"; ma=86400
X-Firefox-Spdy: h2

In development this seems ideal as it:

States that caching is applied
Is low enough to expect rapid prototyping of changes to the OIDC configuration

Ideally this would be raised to something reasonable for production tagged tenants? I see no way this is configurable.

Thanks in advance for the confirmation.

Cheers,
Robby

nik.baleca · September 17, 2025, 4:02pm

Hi @habikki

Welcome to the Auth0 Community!

Unfortunately, you are unable to configure the max_age of the cache since this is a standard practice by Auth0 and it is consistent across all tenants, regardless if they are a Development or Production one. This is an intentional part of the OIDC protocol which ensures your tenant’s security.

As a potential workaround, if this duration would not be suitable for your production environment, you can cache the JWKS locally for a longer period. If the keys are revoked, you can just make another request to the JWKS endpoint in order to retrieve the newest keys and re-attempt validation.

If you have any other questions, let me know!

Kind Regards,
Nik

habikki · September 17, 2025, 5:56pm

Thanks for the reply @nik.baleca. You’ve confirmed that I can expect caching to remain consistent across tenantes which I had a suspicion on but wanted to plan for ahead of time.

Appreciate the information. I’ll ruminate with my team and plan for the short cache as best as we can.

system · October 1, 2025, 5:57pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JKS Validity period Get Help	4	2849	March 25, 2021
Caching JWKS signing key JWT.io jwks	5	26143	September 4, 2019
JWT expiration fixed at 3600 sec (one hour) JWT.io	2	7192	December 24, 2018
Auth0 Failures getting .well-known/jwks.json Get Help jwks	10	18473	February 15, 2019
Regular rotation of Signing keys JWT.io	5	3944	October 17, 2020

Caching Differences between Development and Production Tenants

Related topics