the key is stored in the database. We use RSA keys for JWT, which means, a private key is used to sign and create JWT, and a public key is used to verify it. The nodeJS SDK get's only the public key from the service for purpose of verification. Creating a new token, or changing the signing keys happens in the service side. So if the signing key is changed, the NodeJS sdk will still have the older public key. Any new access token that comes in will fail invalidation. The SDK will then pass on the access token to the service to verify (which will succeed cause it has the latest JWT key), and in response, the NodeJS sdk will get the new public key. Also, JWT signing Key Rotations is a pro feature only.