We have a bunch of web and mobile apps and an API gateway that use Keycloak OpenID Connect for security. At the API gateway end, one has the choice of either validating an access token using the cryptographic credentials from the identity server (offline mode) or validate every message on the IdPs instrospection endpoint (real time). Using offline validation will not hit the IdP every time an app interacts with the gateway, but we have the potential to allow transactions through even though the user has signed out on the SSO server. Using the introspection endpoint will allow users to sign out and stop all transactions immediately. I am concerned that using the real timme validation approach will make the gateway uptime and performance absolutely dependent on the IdP and that the IdP needs to be scaled at the rate of the API platform. Has anyone else had to make a decision which one to use? Any guidance or thoughts you could share?