The previous article ended with this caveat: In production, replace createInMemoryKeyStore() with a persistent store backed by a database or secrets manager so keys survive restarts. This article does exactly that. We'll swap the in-memory key store for two PostgreSQL-backed implementations: A JwksKeyStore that stores private keys with envelope encryption (AES-256-GCM, DEK + KEK) and public keys as plain JSON. A JwksRotationTimestampStore that derives the last rotation time directly from the key record's creation time. Everything else in index.ts (the flow builder, endpoints, login form) stays identical. TL;DR The full runnable example is available at Github ( oidc-persistent-app ). The problem with in-memory keys createInMemoryKeyStore() keeps key material in process memory. This has two consequences in production: Scenario What happens Server restart A new key pair is generated. All tokens issued before the restart are now unverifiable Multiple instances / pods Each instance generates its own key pair.…