JSON Web Key Set
JWKS.
A JSON document published by an OAuth / OIDC server listing its current public signing keys, used by relying parties to verify JWT signatures without out-of-band key distribution.
JWKS caching is the operational lever. Refetching the JWKS on every token validation kills performance and stresses the issuer; caching forever breaks key rotation. The standard pattern is honor the cache headers the issuer sends (typically 1-24 hours), refetch on cache expiry, and refresh proactively if a kid is encountered that isn't in the cache.
Common questions
What's in a JWKS document?
How do I rotate JWKS keys without breaking tokens?
Should I cache the JWKS?
Related terms
In the guides
JWT Explained: JSON Web Tokens, JWT Authentication, and the Pitfalls
JWT (JSON Web Token) is the dominant signed-token format for authentication and API authorization. How JWT tokens are structured, how JWT authentication works in OAuth 2.0 / OIDC, which algorithms to pin, and the recurring vulnerability classes that keep biting implementers.
OpenID Connect (OIDC) Explained: The Modern Identity Layer on OAuth 2.0
OIDC adds authentication and identity claims to OAuth 2.0. How discovery, ID tokens, and the standard scopes work, plus the pitfalls that bite implementers in production.