The OpenID specification requires a JWKs endpoint to list public keys that can verify ID tokens.
TODO: Expand this with how the keys should be generated/rotated, where they're stored, what format.