I’m writing an API that is authenticated with an Auth0 access token. That’s pretty simple and is working fine - including automatically fetching the JKS from the .well-known URL to ensure the token is correct.
What I’m not sure about is validity. The cache control headers say something like 15 seconds, which is obviously not correct. But equally I don’t want to be making an HTTP call to Auth0 for every incoming call that I’m authorising because that’s just expensive.
Is there a standard duration that the JKS is valid for? Or do I really need to refetch it on every token (obeying the cache settings obviously)