JWKS (JSON Web Key Set) is a standard format and endpoint where an identity provider publishes the public keys it uses to sign JWTs. It’s what your server fetches to verify tokens.
How it fits in
When an IdP issues a signed JWT (like an OIDC ID token), you need the corresponding public key to verify the signature. The IdP publishes its keys at a well-known URL — usually /.well-known/jwks.json — and your client fetches and caches them.
Each key has a kid (key ID). JWTs include the kid in their header so you can pick the right key when there are multiple.
Key rotation
IdPs rotate their signing keys periodically (monthly or quarterly). When they do, a new kid appears in the JWKS. Your client should:
- Cache the JWKS with a reasonable TTL (1 hour is typical)
- Refetch on cache miss OR when you see a
kidnot in your cache - Never hardcode a specific key
If your validator caches keys forever, the first rotation will lock your users out — every new token has a kid your cache doesn’t recognize.
See the full auth glossary for related terms.