Refresh the JWKS URI of an OAuth identity provider¶
When you configure an OAuth identity provider in Confluent Cloud, the JWKS URI you
provided is used by Confluent OAuth to fetch the public key data for
validation of the JWT access tokens. By default, the JWKS URI refreshes
at the frequency specified by the
cache-control header in the response
from the JWKS URI. If a
cache-control value is not specified, the default
refresh period is once a day. Note that the refresh period is capped
at a maximum of seven days. For example, if the response header states that the
JWKS keys are valid for a month, the keys are still refreshed at seven day
If the JWKS URI is not available, the automatic refresh fails.
You can manually refresh the JWKS URI of your OAuth identity provider if the automatic refresh fails or if you rotate the public keys of your OAuth identity provider and want the changes to take effect immediately.
Use the Confluent Cloud Console to manually refresh the JWKS URI¶
To manually refresh the JWKS URI of your OAuth identity provider:,
- Sign in to the Confluent Cloud Console and go to the Identity providers tab on the Accounts & access page at http://confluent.cloud/settings/org/identity_providers
- Click the identity provider you want to refresh. The details page appears.
- Click Edit (icon) and then click Refresh JWKS keys.
The refresh operation proceeds and the identity provider details page appears.