Validating Firebase JWTs manually - cert expiry and finding out which one to use

I'm able to generate custom token JWTs (verified by my service account public certs) and then obtain ID tokens as well from the SDK (verified by Google's public certs).

In the custom token JWT, the header doesn't contain the key ID - does this mean I'll just have to trial and error all three shown in my service account's cert link?

And for both the custom token and ID token, how often do the certs change? This will determine how long I can cache a cert file locally.

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum