Validating JWT with JWKS: Can we store JWKS file instead of downloading every time?

azzz · April 19, 2019, 9:00am

Hi,

Every example shows that we need to download jwks.json file from https://your_domain.auth0.com/.well-known/jwks.json. I would like to ask: how often the content can be changed? What if I download the file once and save in application settings. Of course it won’t be possible if this file gets update periodically. I assume this key is based on global client secret/client id values (tenant settings → advanced → Global Client Information), but I did not see any possible way to rotate secrets.

So, is it good idea to download jwks content once and use it every time when I validate JWT and what can be a reason to change the file content?

Thank you.

john.gateley · April 19, 2019, 1:42pm

Please do cache the result of the .well-known file. It will change, though extremely rarely.
Your code must handle when the key used to sign the token does not appear in your cache, then you will have to re-download the file.

John

system · September 2, 2019, 12:13pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auth0 Failures getting .well-known/jwks.json Help jwks	10	17645	February 15, 2019
Feedback on Caching JWKS for JWT Verification in Ruby Help apis , application	2	89	July 15, 2024
Basic question about JWKS URL Help login-experience , new-universal-login-experience	4	537	July 30, 2024
How do I properly cache the JWKS? Help jwks , cache , auth0-php	3	5859	October 16, 2020
Will public key from JWKS go invalid Help jwks , jwt-validation , python	4	6296	August 19, 2019

Validating JWT with JWKS: Can we store JWKS file instead of downloading every time?

Related Topics