Context:

I am building a Zendesk app which needs to communicate with my backend server. This app will be installed at multiple zendesk instances (those instances are customers of mine). For that, I'm planning to use the JWT token method for authenticating the requests (reference).

So, Zendesk will make a POST call to my backend with JWT token. Then, my backend server verifies this JWT token and returns a HTML page with an auth token embedded in it. Finally, my app can use this auth token to further communicate with the backend server.

I have few questions in JWT verification part:

1) Since my app is installed at multiple zendesk instances (i.e multiple zendesk subdomains), how will I get the public key for the app? Is public key constant for all installations? If so, can I get the public key for the app once I uploaded it to the Zendesk marketplace?

2) In the doc it is mentioned that we should also verify the ZENDESK_APP_AUD. It contains the subdomain and the app_installation_id. The subdomain is already stored in my backend but how do I get the app_installation_id? It is unique per installation right? Is it enough to check the subdomain alone and ignore the app_installation_id part?
    To make sure, the JWT token is only signed using the private key right? If so, I guess the zendesk_app_aud is just to verify the issuer zendesk instance.  

3) The auth token which my backend injects on the webpage has an expiration time. So, after the auth token expires, my frontend can't make any requests to the  backend. Thus, is there any way to reload the app using ZAF SDK so that the whole JWT authentication happens again?

Please revert back on this ASAP. Thanks!