I have a microservices architecture system which uses JWT to authenticate microservices and front-end. Everything there is great.

Now, I need to authenticate third party clients. At first, it looks like the third party clients are same as front-end, however, these clients are back-end only(they store their keys securely) and I want my API to be simply used without the need to refresh token f.e. I issue a token for a client and the token never expires.

Looks simple at first, I could just set up Token storage, generate random API keys for clients and then, to authenticate a client, I could look up the storage. However, key storage then becomes a bottleneck for whole system. Currently used JWTs contains the info itself and I want to have similar approach with these API keys.

So the question is: How can I issue API keys that every microservice can validate without requesting my authentication microservice on every request( something similar like JWT)?