I am trying to validate JWT tokens for Sign in with Google. The documentation says that the Google public keys can be obtained at https://www.googleapis.com/oauth2/v3/certs. However, this address returns two keys and not one.
Why are there two keys? Do I need to try validate with one and if it does not work try the other? Or must the token be valid with both keys?
