Refresh the JWKS URI of an OAuth identity provider

When you configure an OAuth identity provider in Confluent Cloud, the JWKS URI you provided is used by Confluent OAuth to fetch the public key data for validation of the JWT access tokens. By default, the JWKS URI refreshes at the frequency specified by the cache-control header in the response from the JWKS URI. If a cache-control value is not specified, the default refresh period is once a day. Note that the refresh period is capped at a maximum of seven days. For example, if the response header states that the JWKS keys are valid for a month, the keys are still refreshed at seven day intervals.

If the JWKS URI is not available, the automatic refresh fails.

You can manually refresh the JWKS URI of your OAuth identity provider if the automatic refresh fails or if you rotate the public keys of your OAuth identity provider and want the changes to take effect immediately.

Use the Confluent Cloud Console to manually refresh the JWKS URI

To manually refresh the JWKS URI of your OAuth identity provider:,

  1. Sign in to the Confluent Cloud Console and go to the Identity providers tab on the Accounts & access page at http://confluent.cloud/settings/org/identity_providers
  2. Click the identity provider you want to refresh. The details page appears.
  3. Click Edit (icon) and then click Refresh JWKS keys.

The refresh operation proceeds and the identity provider details page appears.

Use the Confluent Cloud REST API to manually refresh the JWKS URI

To use the Confluent Cloud REST API to make a request to refresh the JWKS URI, see Refresh a provider’s JWKS.