So i use HS256 JWT. It comes with a symmetric key used to sign and validate JWT’s. This is stored in Kongs database. When you generate a token as an external client, Kong looks up and caches the JWT key + metadata info associated to that JWT token you sent. In the event you pass a jwt token and your Kong node cannot reach the database at the time to cache the jwt info then yes auth would fail. You can now set the database cache time to be indefinite though, and Kong recommends such a setting as they trust their cache logic more now than when it initially rolled out. Remember every Kong node has to talk to the database and cache relevant info from the database on an as needed basis.
One clarification(I am not sure if when Kong starts it takes the liberty to go ahead and cache all relevant jwt keys found on record to its local node cache, could be a perf improvement if they did so). Unlike oauth where they have to cache individual tokens and could not do such an optimization .