[keycloak-user] kid and x5t jwt header

Hi, A (.net) application has stored multiple certificates. It wants to choose the appropriate certificate to validate the signature in the received jwt. Regarding this I have the following questions. What exactly is the key ID (kid) header in the jwt? Is it possible to use this to find the right certificate. Is it possible to add a x.509 certificate thumbprint (x5t) header in the jwt created by keycloak? Is there a feature request for this? Could I implement this myself via some extension mechanism? Or do I need to add it in the core source code and submit it to be included in the keycloak product? Regards, Robert