...
Certificate endpoint is: /realms/{realm-name}/protocol/openid-connect/certs. It returns public keys enabled by realm encoded as JSON Web Key (JWK).
Accurate clock synchronisation is required for local token validation, so should not be used in environments where this can't be guaranteed (e.g. end-user web browser).
Refreshing an access token
...