diff --git a/endpoints/key_server.py b/endpoints/key_server.py
index 6ab4fddf5..b164f03f3 100644
--- a/endpoints/key_server.py
+++ b/endpoints/key_server.py
@@ -1,6 +1,6 @@
 import logging
 
-from datetime import datetime
+from datetime import datetime, timedelta
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicNumbers
@@ -88,7 +88,15 @@ def get_service_key(service, kid):
   if key.approval is None:
     abort(409)
 
-  return jsonify(key.jwk)
+  resp = jsonify(key.jwk)
+
+  # Set the cache header to be a year for non-expiring keys.
+  lifetime = timedelta(days=365)
+  if key.expiration_date is not None:
+    lifetime = key.expiration_date - key.created_date
+  resp.cache_control.max_age = lifetime.seconds
+
+  return resp
 
 
 @key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])