[a_random_name]

(glanced at it so I could be wrong) They're talking about a public key that can be used to validate the JWT's authenticity. AFAIK there is no need to keep these secret, and it's not possible to (without breaking public key crypto) forge them so it should be safe to store them wherever.

[time4tea]

From article:

Private key redis key

    public static string PrivateKey(string kid) => $"{Root}:jwks:private:{kid}"; // full private material (short life)

[tveita]

There's some odd choices here.

  - 90 days is a very long time to keep keys, I'd expect rotation maybe between 10 minutes and a day? I don't see any justification for this in the article.
  - There's no need to keep any private keys except the current signing key and maybe an upcoming key. Old keys should be deleted on rotation, not just left to eventually expire.
  - https://github.com/aaroncpina/Aaron.Pina.Blog.Article.08/blob/776e3b365d177ed3b779242181f0045cd6387b3f/Aaron.Pina.Blog.Article.08.Server/Program.cs#L70-L77 - You're not allowed to get a new token if you have a a token already? That's unworkable - what if you want to log in on a new device? Or what if the client fails to receive the token request after the server sends it, the classic snag with use-only-once tokens?
  - A fun thing about setting an expiry on the keys is that it makes them eligible for eviction with Redis' standard volatile-lru policy. You can configure this, but it would make me nervous.

[a_random_name]

TY, that seems like not the best practice.