This doc states:
Currently Auth0 only supports a single JWK for signing, however it is important to assume this endpoint could contain multiple JWKs. As an example, multiple keys can be found in the JWKS when rotating signing certificates.
typically, when does a rotation of the signing certificates happen? who/what triggers it?
when a rotation happen, are all new tokens signed with that new certificate or is there some kind of delay before being in use?
I am trying to avoid fetching the certificate when new tokens kid are submitted to my app, and instead have a separate process that will refresh a cache of active keys asynchronously. But for this to work I need to fetch the signing certificate before my app needs it. Any tips on how to do this would be greatly appreciated.