We're working with the zero trust paradigm, so the latter is not an option, thanks for the suggestion though. IMHO a JWT token signature validation is a perfect subject for in-memory caching; it's size is predictable and relatively short (doesnt need to be hashed when its in-memory) and cache TTL is really predictable, too. It's only really relevant if each cerbos instance has an in-memory LRU cache, though. The tradeoffs of using an external cache (hashing + interchanging data) are to high compared to validating the signature.