If you plan to depend on kid
or use a library that does then it’s likely that library also allows you to provide the jwks.json
endpoint mentioned above. This means that library receives token, get kid
from token, gets key from endpoint and validates token assuming a matching key is found. So technically you don’t need to store kid
anywhere, if you’re using it then you get it from the token and use it to find the matching key.