The reason I'm asking the questions is that as we need to validate the id token signature returned by Apple when a user Sign In with Apple, I'm not sure whether it is necessary to fetch Apple's public key every time from this endpoint (GET https://appleid.apple.com/auth/keys). Is there rate limit to the endpoints (GET public key and POST validate authcode/token)?
Will Apple ever change the public key in the future? If so, will the developers be notified when Apple changes it? Also, how often do we expect Apple will change it?
Thank you!