diff --git a/modules/gplazma2-oidc/src/main/java/org/dcache/gplazma/oidc/jwt/Issuer.java b/modules/gplazma2-oidc/src/main/java/org/dcache/gplazma/oidc/jwt/Issuer.java
index 3fca2042344..219bf22dee3 100644
--- a/modules/gplazma2-oidc/src/main/java/org/dcache/gplazma/oidc/jwt/Issuer.java
+++ b/modules/gplazma2-oidc/src/main/java/org/dcache/gplazma/oidc/jwt/Issuer.java
@@ -62,9 +62,11 @@ public class Issuer {
     private final HttpClient client;
     private final boolean offlineSuppressed;
 
+    // Recommendation for six hours comes from this document:
+    //     https://doi.org/10.5281/zenodo.3460258
     private final Supplier<Map<String, PublicKey>> keys = MemoizeMapWithExpiry.memorize(this::readJwksDocument)
           .whenEmptyFor(Duration.ofMinutes(1))
-          .whenNonEmptyFor(Duration.ofMinutes(10))
+          .whenNonEmptyFor(Duration.ofHours(6))
           .build();
 
     public Issuer(HttpClient client, IdentityProvider provider, int tokenHistory) {