RE verifying JWTs with AWS KMS. It's possible to call the KMS API for every single verification, but it seems possible to download the KMS public key and then proceed to use that. Undoubtedly, this is the ideal route for long-lived applications, but it's less clear for serverless applications on AWS Lambda, where cold-start is important to optimize for. It seems to me that downloading and using the public key would always be slower the first time rather than just verifying with the API. However, I haven't yet tested this.
Does anyone have any experience with this tradeoff?