--- title: Public Key Cache Non-Refresh Interval in seconds description: This property is only relevant when the property Enable internal checking of JWT signature is set to true. component: java-agents version: 2025.11 page_id: java-agents:properties-reference:org.forgerock.agents.public.key.non.refresh.interval.seconds canonical_url: https://docs.pingidentity.com/java-agents/2025.11/properties-reference/org.forgerock.agents.public.key.non.refresh.interval.seconds.html --- # Public Key Cache Non-Refresh Interval in seconds This property is only relevant when the property [Enable internal checking of JWT signature](org.forgerock.agents.internal.check.jwt.signature.enabled.html) is set to `true`. The agent caches AM public keys used for JWT signing. When the agent receives a JWT using a key not in its cache, it will invoke AM to retrieve the current list of valid keys. This property prevents the agent from invoking AM "too often" after it has already done so. This property helps to mitigate DoS attacks whereby a hacker floods a site with requests using JWTs containing deliberately invalid key ids. Ordinarily this would cause the agent to flood AM with requests, but with this property set to a non zero value, there is a window in which AM is not invoked, excess network traffic is not generated and all JWTs containing unknown keys are rejected. | | | | ------------------------ | ------------------------------------------------------------------------------------------------- | | Property name | `org.forgerock.agents.public.key.non.refresh.interval.seconds` | | Aliases | `org.forgerock.agents.public.key.non.refresh.interval.seconds`   Introduced in Java Agent 2024.11 | | Function | Authentication service | | Type | Integer | | Default | `120` | | Bootstrap property | No | | Required property | No | | Restart required | No | | Local configuration file | `AgentConfig.properties` |