PDP Caching Options

New
  • Published on Oct 27, 2025
  • 3 minute(s) read
Prev Next

Caching helps reduce latency and improve the performance of access decisions by minimizing repetitive calls to Identity Sources, external services, or the Policy Engine itself. The Authorization Platform supports multiple caching mechanisms that can be configured based on the expected volatility of data and specific use cases. These include:

  • Identity Source Cache – for caching Identity Data from external sources
  • Scope Cache – for caching access decisions based on request patterns
  • JWKS Cache – for caching public keys used to validate incoming JWTs

The sections below provide detailed guidance for each type of cache, including configuration options and key considerations.

Identity Source Cache

The Identity Source cache can improve performance by caching Identity data fetched from Identity Data Sources. By using this cache option, the PlainID PDP can avoid calling the Identity Data Source for every Decision Request. It is considered best practice to use this cache when the Identity Data used in Policies is not very dynamic. For example, if your Identity Template source includes user attributes such as Job Title, Department, Location, etc., it might be logical to have this data cached since this type of data is unlikely to change often.

Key facts about the Identity Source cache:

  • The cache duration is managed per Identity Source.
  • The cache duration is defined (in seconds) under Identity Workspace Settings > Attribute sources > Cache Duration.
  • If not defined, the default value for caching duration is 0 seconds. This means there is no cache and no decisions is saved.
  • If changed in the PAP, the change is pushed to the PAA\Cloud PDP and is implemented when the previous TTL arrives or on restart of the PlainID PDP.

Scope Cache

The Scope cache option can improve performance by caching access decisions which are not likely to be changed very frequently. The PlainID PDP calculates the dynamic access decision and store it in the Redis cache store. When a new access decision request is sent during the cache period, the PlainID PDP checks if the cache contains a response for the same request. If there is a cached response for this same request, the PlainID PDP returns the cached response immediately instead of recalculating the decision again.

Key information about the Scope cache:

  • Managing cache for Access Decision responses calculated by the PlainID PDP uses the full PlainID PDP request as a cache key.
  • The Cache Duration is managed per Scope.
  • The cache duration is defined (in minutes) under Environment settings > Scopes  > Cache Duration.
  • Users have the ability to establish IP and time conditions. These conditions, while in place, do not alter the calculation of cache keys, and they also do not impact the Scope cache.
  • If changed in the PAP the change is be pushed to the PAA or cloud PDP and is then be implemented when the previous TTL arrives or on restart of the PlainID PDP.

JWKS (for incoming JWT validation)

The PlainID PDP is able to receive access decision requests with a JWT, both for authenticating the calling client and for sending Identity Data as part of the request. The incoming JWTs are validated for authenticity and expiration using prefetched keys from the configured JWKS URLs. These prefetched keys are cached in the PlainID PDP memory to be used for validation rather than calling the JWKS URL for each incoming request. The certificates information is refreshed from the JWKS URLs every hour by default (3,600,000 ms).

To change the JWKs Refresh Token:

  1. Open the values-custom.yaml.
  2. Add the following code:
runtime:
  extraEnv: 
    # Refresh JWKS time in miliseconds. For hybrid user to change in production
    REFRESH_JWKS : "3600000"
  1. Modify the REFRESH_JWKs.
  2. Restart the service.