Is the endpoint to get the JWK for token validation rate limited?

a.saad · September 28, 2022, 5:42pm

Hello,

I have a backend service that needs to validate tokens. I read this guide and it mentions that I should hit the endpoint:

https://your-tenant.auth0.com/.well-known/jwks.json

in order to retrieve the public key. What the article didn’t mention though was whether the endpoint is subject to rate limits or not.

So if I have a medium-sized application, ~30K active users, will it be ok to get the JWK from the endpoint each time I want to validate a token or should I cache it? And if I’m supposed to cache the key, how often should I refresh my cache?

Thanks

tyf · September 28, 2022, 6:08pm

Hey there @a.saad welcome to the community!

The /jwks endpoint is indeed subject to rate limits, so you’ll definitely want to implement some sort of caching. It really depends on your application needs and whether or not you have signing key rotation enabled (you should ) You can see how Auth0 goes about this in our node-jwks-rsa library. The following resources should be of help as well:

Hope this helps!

system · October 12, 2022, 6:08pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Caching JWKS signing key JWT.io jwks	5	23824	September 4, 2019
JKS Validity period Help	4	2481	March 25, 2021
Will public key from JWKS go invalid Help jwks , jwt-validation , python	4	6296	August 19, 2019
How do I properly cache the JWKS? Help jwks , cache , auth0-php	3	5859	October 16, 2020
JWKS Endpoint requests issue Help api , login	8	5328	December 29, 2020

Is the endpoint to get the JWK for token validation rate limited?

Related Topics