Is the endpoint to get the JWK for token validation rate limited?

a.saad · September 28, 2022, 5:42pm

Hello,

I have a backend service that needs to validate tokens. I read this guide and it mentions that I should hit the endpoint:

https://your-tenant.auth0.com/.well-known/jwks.json

in order to retrieve the public key. What the article didn’t mention though was whether the endpoint is subject to rate limits or not.

So if I have a medium-sized application, ~30K active users, will it be ok to get the JWK from the endpoint each time I want to validate a token or should I cache it? And if I’m supposed to cache the key, how often should I refresh my cache?

Thanks

tyf · September 28, 2022, 6:08pm

Hey there @a.saad welcome to the community!

The /jwks endpoint is indeed subject to rate limits, so you’ll definitely want to implement some sort of caching. It really depends on your application needs and whether or not you have signing key rotation enabled (you should ) You can see how Auth0 goes about this in our node-jwks-rsa library. The following resources should be of help as well:

Hope this helps!

system · October 12, 2022, 6:08pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.