...
Due to the fact that Keycloack issued tokens are JWT digitally signed and encoded using JWS, access token can be locally validated using public keyof key of the issueing realm. The realm’s public key can be either hard coded in validation code, or the public key culd could be looked-up and cached using the certificate endpoint with the Key ID (KID) embedded within the JWS.
...