Authorization Server Signing Key Rotation

Does the rotation of the keys at the JWKS have a predefined date or is it some random timescale?

If it is random what is best practice for how often should a validating party query the endpoint for the latest key?

Actually I see now it is exactly 3 months as defined in nextRotation as returned from {{url}}/api/v1/authorizationServers endpoint:

“credentials”: {
“signing”: {
“rotationMode”: “AUTO”,
“lastRotated”: “”,
“nextRotation”: “”