Hello, I have a backend service that needs to validate tokens. I read this guide and it mentions that I should hit the endpoint: https://your-tenant.auth0.com/.well-known/jwks.json in order to retrieve the public key. What the article didn’t mention though was whether the endpoint is subject to r…

Hey there @a.saad welcome to the community! [image] a.saad: in order to retrieve the public key. What the article didn’t mention though was whether the endpoint is subject to rate limits or not. So if I have a medium-sized application, ~30K active users, will it be ok to get the JWK from the e…

Is the endpoint to get the JWK for token validation rate limited?

Help

tyf September 28, 2022, 6:08pm 3

Hey there @a.saad welcome to the community!

The /jwks endpoint is indeed subject to rate limits, so you’ll definitely want to implement some sort of caching. It really depends on your application needs and whether or not you have signing key rotation enabled (you should ) You can see how Auth0 goes about this in our node-jwks-rsa library. The following resources should be of help as well:

Hope this helps!