Vault caching JWKS requests

Does Vault internally cache requests to the jwks_url endpoint used for JWT auth? Or does it call it every time a client tries to authenticate on auth/jwt/login?

yes, it does. It goes to JWKS only when the kid is not in the cache.

Thanks @ssuciu!

As a follow up, do you know what’s the TTL on that cache? Is it configurable?

Does not need a TTL, if the kid is not present in the cache, it goes to JWKS url and adds the new key to the cache. The assumption is that the kid is random enough to be unique…