stop caching guest jwks response (#1615)

ignaciojimenezr · web-flow · commit 9948ee85b3e1 · 2026-03-14T22:26:04.000-07:00
diff --git a/mcpjam-inspector/server/app.ts b/mcpjam-inspector/server/app.ts
@@ -186,10 +186,10 @@ export function createHonoApp() {
     return c.json({ status: "ok", timestamp: new Date().toISOString() });
   });
 
-  // Guest JWT JWKS endpoint — public, cacheable, no auth required.
+  // Guest JWT JWKS endpoint — public, no auth required, avoid edge caching.
   // Convex uses this to verify guest JWTs natively.
   app.get("/guest/jwks", (c) => {
-    c.header("Cache-Control", "public, max-age=3600");
+    c.header("Cache-Control", "no-store");
     return c.json(getGuestJwks());
   });
 
diff --git a/mcpjam-inspector/server/routes/web/__tests__/guest-jwks.test.ts b/mcpjam-inspector/server/routes/web/__tests__/guest-jwks.test.ts
@@ -42,11 +42,11 @@ describe("GET /api/web/guest-jwks", () => {
     rmSync(testGuestKeyDir, { recursive: true, force: true });
   });
 
-  it("returns a public, cacheable JWKS document", async () => {
+  it("returns a non-cacheable JWKS document", async () => {
     const response = await app.request("/api/web/guest-jwks");
 
     expect(response.status).toBe(200);
-    expect(response.headers.get("cache-control")).toBe("public, max-age=3600");
+    expect(response.headers.get("cache-control")).toBe("no-store");
     expect(response.headers.get("content-type")).toContain("application/json");
 
     const body = await response.json();
diff --git a/mcpjam-inspector/server/routes/web/index.ts b/mcpjam-inspector/server/routes/web/index.ts
@@ -39,7 +39,7 @@ web.route("/guest-session", guestSession);
 
 // Public JWKS endpoint for guest JWT verification.
 web.get("/guest-jwks", (c) => {
-  c.header("Cache-Control", "public, max-age=3600");
+  c.header("Cache-Control", "no-store");
   return c.json(getGuestJwks());
 });
 
