Validating JWT with JWKS: Can we store JWKS file instead of downloading every time?

Hi,

Every example shows that we need to download jwks.json file from https://your_domain.auth0.com/.well-known/jwks.json. I would like to ask: how often the content can be changed? What if I download the file once and save in application settings. Of course it won’t be possible if this file gets update periodically. I assume this key is based on global client secret/client id values (tenant settings -> advanced -> Global Client Information), but I did not see any possible way to rotate secrets.

So, is it good idea to download jwks content once and use it every time when I validate JWT and what can be a reason to change the file content?

Thank you.

Please do cache the result of the .well-known file. It will change, though extremely rarely.
Your code must handle when the key used to sign the token does not appear in your cache, then you will have to re-download the file.

John

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.