If you plan to depend on kid or use a library that does then it’s likely that library also allows you to provide the jwks.json endpoint mentioned above. This means that library receives token, get kid from token, gets key from endpoint and validates token assuming a matching key is found. So technically you don’t need to store kid anywhere, if you’re using it then you get it from the token and use it to find the matching key.