JWT validation methods

On the JSON web token (JWT) validation page, you can specify how to validate incoming JWTs. You may do it either by uploading both a public primary and backup RSA key manually, or by loading them dynamically from a JSON web key set (JWKS) file.

Manual RSA key upload
This validation method requires you to upload a primary RSA public key to verify incoming requests and a backup RSA public key for use during key rotations. The RSA keys that you upload typically have an expiry date, which means you will need to upload new RSA keys periodically.
Dynamic JSON web key set upload
As an alternative to the manual method, you can opt for the JWKS solution that uses certificate chains tied to hostnames that form JWKS URIs. JWKS URIs are secure locations that store public JSON web keys in an array of JSON objects. The certificate chains usually have a longer lifespan than RSA keys and require less frequent updates to the JWT validation page. JWKS also helps you more seamlessly rotate keys to reduce interruptions to clients consuming a JWT.
Note: If you choose the JWKS method, ensure that the public keys are located at the following path: https://your_domain/.well-known/jwks.json. This is the default path from where edge servers request a JWKS over the Transport Layer Security (TLS) protocol. The .well-known prefix provides a central location for web resources of a specific type and helps avoid collisions between resources. For more details on the .well-known prefix, see RFC 5785.

A full valid JWKS URI could look like this: https://bookstore.api.com/.well-known/jwks.json

For additional details on the JWKS specification, see RFC 7517.