Based on the knowledge sources provided, there appears to be a distinction between how OAuth2 clients and JWT grant issuers are configured in Ory. For OAuth2 clients, Ory supports both direct key configuration via

jwks

and key rotation via

jwks_uri

. As mentioned in the documentation: > "The

jwks_uri

is a URL that points to a JSON Web Key Set (JWKS) that contains the public key. The

jwks

field is a direct JSON object representation of the JWKS." [JSON Web Token (JWT) profile for OAuth2](https://www.ory.sh/docs/hydra/guides/jwt#registering-the-clients-public-key) However, for JWT grant issuers (which is what you're asking about), the

trustOAuth2JwtGrantIssuer

endpoint only appears to support providing the JWK directly in the request body. The API reference shows that the request requires a

jwk

parameter but doesn't mention a

jwks_uri

alternative for this specific trust relationship. The documentation for establishing a trust relationship shows an example where the public key is provided directly:

javascript const { data } = await ory.trustOAuth2JwtGrantIssuer({   trustOAuth2JwtGrantIssuer: {     // ...other parameters...          // The public key with which the JWT's signature can be verified (example)     jwk: {       alg: "RS256",       use: "sig",       kty: "RSA",       e: "AQAB",       kid: "d8e91f55-67e0-4e56-a066-6a5f0c2efdf7",       n: "nzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA-kzeVOVpVWwkWdVha4s38XM_pa_yr47av7-z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr_Mrm_YtjCZVWgaOYIhwrXwKLqPr_11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e-lf4s4OxQawWD79J9_5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa-GSYOD2QU68Mb59oSk2OB-BtOLpJofmbGEGgvmwyCI9Mw",     },          // ...other parameters...   }, })

[Using JWTs as Authorization Grants](https://www.ory.sh/docs/hydra/guides/jwt#using-jwts-as-authorization-grants) Based on the available knowledge sources, there doesn't appear to be a way to configure the trust relationship for JWT grant issuers using a

jwks_uri

instead of providing the JWK directly. This means that for clients that rotate their keys, you would need to update the trust relationship each time they rotate their keys. If key rotation is a critical requirement for your use case, you might need to: 1. Implement a process to monitor the client's JWKS endpoint for changes 2. Update the trust relationship via the API when new keys are detected 3. Consider maintaining multiple trust relationships during rotation periods However, the knowledge sources don't provide explicit information about supporting

jwks_uri

for JWT grant issuers, so this limitation appears to be by design in the current implementation.