jwks.json
document that should contain all valid signing keys of the upstream system.
Normally this resides somewhere in the .well-known
space but can differ in many ways.
Examples are: https://auth-server/.well-known/jwks.json
Please be aware that if you don't provide a JWKS URL, no signature verification will be performed. This is useful for use cases that use JWT but don't sign them.
It is strongly recommended that you sign your JWTs and verify their signatures using JWKS.