I could check the source, but I'm too lazy 😂 Does Cerbos cache auxdata.jwt to not validate signatures on each request?

The keys are cached but not the JWT itself. Caching is a bit difficult to do because of all the little things that could change between requests so we don't do it at the moment

We're working with the zero trust paradigm, so the latter is not an option, thanks for the suggestion though. IMHO a JWT token signature validation is a perfect subject for in-memory caching; it's size is predictable and relatively short (doesnt need to be hashed when its in-memory) and cache TTL is really predictable, too. It's only really relevant if each cerbos instance has an in-memory LRU cache, though. The tradeoffs of using an external cache (hashing + interchanging data) are to high compared to validating the signature.

Yeah, that's the thing. Even though it seems fairly simple, there are a few edge cases that complicate things. Since it's relatively fast, we left out caching for later. It would be good to hear about your experience here. If verification is adding a lot of overhead, we can try to expedite implementing caching for JWT 🙂

yeah every new feature costs time, and there's likely some features in the pipeline that provides a lot more value! so no worries, I don't think it's going to be a big problem at all.

Keep us posted about your progress and any issues you run into. We're happy to help.

Just chipped in with a couple of thoughts. Thanks for opening the issue, Charith!