When will the old public keys be removed from my JWKS endpoint once I enable the Web Keys beta feature?
What happens with the previously existing public key? For how long will it be present in the JWKS endpoint response?
When you enable the Web Keys beta feature in your instance, two web key pairs are created with one activated, as the docs state.
The old key created before the WebKeys API will keep showing in the JWKS endpoint {your_domain}/oauth/v2/keys
for a max of 30 hours.
We keep the old public keys until they expire, so that existing sessions are not instantly invalidated.
Source: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml#L745