Default Cache-Control: public, max-age=<N> lifetime (seconds) for the
JWKS response when oauth.jwt.jwksCacheMaxAge is unset. JWKS is the
most-polled verifier endpoint, so a non-zero default cuts polling load;
5 minutes is short enough that a rotated key propagates quickly to
verifiers that cache the set. Operators with a different key-overlap
window tune it via config — max-age should stay well below the overlap
window so a token signed with a freshly-rotated kid is never rejected
longer than the cache lifetime.
Default
Cache-Control: public, max-age=<N>lifetime (seconds) for the JWKS response whenoauth.jwt.jwksCacheMaxAgeis unset. JWKS is the most-polled verifier endpoint, so a non-zero default cuts polling load; 5 minutes is short enough that a rotated key propagates quickly to verifiers that cache the set. Operators with a different key-overlap window tune it via config —max-ageshould stay well below the overlap window so a token signed with a freshly-rotated kid is never rejected longer than the cache lifetime.