Manage the JWKS URI on Confluent Cloud¶
You need to manage the JSON Web Key Set (JWKS) URI of your OAuth identity provider to:
- Ensure that the public keys used to verify the signatures of JSON Web Tokens (JWTs) are up to date. Follow the steps below to manually refresh the JWKS URI if the automatic refresh fails or if you rotate the public keys.
- If your identity provider is behind a firewall, verify network access to your JWKS URI at least every three months.
Refresh the JWKS URI of an OAuth identity provider¶
You can manually refresh the JWKS URI of your OAuth identity provider using either the Confluent Cloud Console or the Confluent Cloud REST API to:
- Force immediate application of rotated public keys.
- Recover from automatic refresh failures.
Refresh Frequency Settings
The max-age directive in the Cache-Control header of the JWKS URI response
determines how often keys are refreshed:
- Minimum: 5 minutes (300 seconds)
- Maximum: 7 days (604800 seconds)
- Default: 24 hours (86400 seconds) when
max-ageis not specified.
Note: Values below the minimum are automatically set to 5 minutes, while
values above the maximum are capped at 7 days. To increase refresh frequency,
set a lower max-age value in your Cache-Control header.
Example: To set a 1-hour (3600 seconds) refresh frequency, the Cache-Control
header should be:
Cache-Control: max-age=3600
If the JWKS URI is temporarily unavailable, the system continues using the cached keys until the next successful refresh. In prolonged outages, you might need to manually refresh the JWKS URI using the procedure below once connectivity is restored.
Use the Confluent Cloud Console to manually refresh the JWKS URI
To manually refresh the JWKS URI of your OAuth identity provider:,
- Sign in to the Confluent Cloud Console and go to the Workload identities tab on the Accounts & access page at https://confluent.cloud/settings/org/workload_identities.
- Click the identity provider you want to refresh. The details page appears.
- Click Edit (icon) and then click Refresh JWKS keys.
The refresh operation proceeds and the identity provider details page appears.
Use the Confluent Cloud REST API to manually refresh the JWKS URI
To use the Confluent Cloud REST API to make a request to refresh the JWKS URI, see Refresh a provider’s JWKS.
Verify network access to the JWKS URI¶
If your identity provider is behind a firewall, you should verify network access from Confluent Cloud to your identity provider using the public IP addresses at least every three months to ensure that Confluent Cloud can access your Confluent Cloud JWKS endpoint over the internet. Contact your identity provider to add new Confluent Cloud public IP addresses to your firewall allowlist.
To get the available Confluent Cloud public IP addresses, run the following curl command, using your API key and API secret:
curl -X GET https://api.confluent.cloud/networking/v1/ip-addresses?services=EXTERNAL_OAUTH
-H 'Authorization: Basic $(echo -n "${API_KEY_ID}:${API_KEY_SECRET}" | base64)'
-H "Content-Type: application/json"
Alternatively, you can view the available Confluent Cloud public IP addresses on the Confluent Cloud Console. Navigate to Accounts and access -> Workload identities tab.
