Jack Henry does not have a required maximum lifetime for a public key. We recommend using a jwks endpoint regardless of your chosen standard for key expiration/lifetime. The OIDC provider will automatically fetch new keys as they are rotated when using the JWKS endpoint for the configuration rather than hardcoding a public key in PEM format.