JWKS rotation frequency

libra04ts · April 28, 2023, 1:09am

Hi,

From Okta doc, the JWKS keys rotation is 4 times a year except emergency rotation. If my app fetches every 5 mintues, it would seem to be pretty plenty? should I reduce the frequency? For new apps, can I start without caching of the keys and add it later if there is a slowdown?

List item

Thank you.

dawoudt · April 28, 2023, 5:33am

Hi @libra04ts,

Every 5 minutes is quite frequent. Best practice is to

cache the key and update it periodically, say once a day (or even less frequently).
Use the nextRotation data to preempt when to update the cache.
Having logic fetch new the JWKs to handle when JWT validation fails due to an expired or rotated key.

Ref:

libra04ts · April 28, 2023, 7:45am

Hi @dawoudt , Thanks very much for the suggestions. This helps. Appreciated it.

Post		Replies	Views
Authorization Server Signing Key Rotation Questions	2	4817	June 25, 2019
Detect when JWK keys are rotated API api	2	4919	November 18, 2020
When Okta will add the new JWK public key in GET api/v1/authorizationServers/{authServerID}/credentials/keys Questions	4	3754	March 30, 2021
Issue getting Token when having ODIC application grab public key from URL API	4	142	April 25, 2025
Is it possible to change/update JWKs in an APP? how? Questions	2	3329	February 6, 2024

JWKS rotation frequency

Related topics