It seems likely you've got a design issue. You should check your system of record to populate your cache because cache is volitile and therefore cannot be your system of record, which means you must have one somewhere which is why the intent of having a cache is to balance latency of checking and load against the system of record versus server (gateway) resources (i.e. memory). The cache lets you respond a little quicker (or a lot if your backend is very poor performing) but consumes memory on your gateway, so it's in your interest to expire content that is not required (i.e. expired oauth tokens that are no longer valid) or not being used (i.e. web page content that is not recently requested). In the later case you can expire it at a long interval (i.e. once an hour, day , or even a week), but if it changes very rarely and you still want to keep from checking your backend then why not just consider it static content and embed it in policy?