auth.provider API
    Preparing search index...

    Variable DEFAULT_JWKS_CACHE_MAX_AGEConst

    DEFAULT_JWKS_CACHE_MAX_AGE: 300

    Default Cache-Control: public, max-age=<N> lifetime (seconds) for the JWKS response when oauth.jwt.jwksCacheMaxAge is unset. JWKS is the most-polled verifier endpoint, so a non-zero default cuts polling load; 5 minutes is short enough that a rotated key propagates quickly to verifiers that cache the set. Operators with a different key-overlap window tune it via config — max-age should stay well below the overlap window so a token signed with a freshly-rotated kid is never rejected longer than the cache lifetime.