When verifying JSON Web Token (JWTs) signed with asymmetric algorithms, such as RS256, the system needs access to the public keys of the issuer. These keys are typically published in a JSON Web Key Set (JWKS) endpoint. This topic explains how the JWKS flow works during application startup and subsequent token validations.

The JWKS flow ensures that the system retrieves and caches public keys efficiently to minimize authentication failures. The following table summarizes the process:
Step Description
Startup No JWKS fetch occurs initially. Retrieval is deferred until the first JWT verification that requires RS256 keys.
First JWT verification When a JWT signed with RS256 is encountered, the system downloads the JWKS from the configured endpoint.
Caching The downloaded keys are cached for the duration specified by jwks_cache_seconds.
Cache expiry When the cache expires, the system attempts to re-fetch the JWKS.
Failure handling If the re-fetch fails, the system continues using the previously cached keys until the next successful attempt. This design minimizes authentication outages.