The way it works is that we create a new RSA key pair initially and keep track of when it was created. Let's say that a new key pair is supposed to be generated every 24 hours, so whilst the current key is lesser than 24 hours old, it will be used to create / verify session tokens. After 24 hours, the older keys will be thrown away and a new one will be generated. These new ones will be used to create new tokens, however, verification of old tokens will fail. For those old tokens, the user will fallback on using the refresh API to get a new JWT signed with a these newly generated RSA key pair - this means no user logouts.