diff --git a/.changeset/polite-jokes-matter.md b/.changeset/polite-jokes-matter.md
new file mode 100644
index 0000000000..d317b79a7d
--- /dev/null
+++ b/.changeset/polite-jokes-matter.md
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-node': patch
+---
+
+Address corner cases where the key store was not being created at startup
diff --git a/plugins/auth-node/src/IdentityClient.ts b/plugins/auth-node/src/IdentityClient.ts
index 3799222447..0773d22c26 100644
--- a/plugins/auth-node/src/IdentityClient.ts
+++ b/plugins/auth-node/src/IdentityClient.ts
@@ -141,7 +141,7 @@ export class IdentityClient {
     // Add a small margin in case clocks are out of sync
     const issuedAfterLastRefresh =
       payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
-    if (!keyStoreHasKey && issuedAfterLastRefresh) {
+    if (!this.keyStore || (!keyStoreHasKey && issuedAfterLastRefresh)) {
       const url = await this.discovery.getBaseUrl('auth');
       const endpoint = new URL(`${url}/.well-known/jwks.json`);
       this.keyStore = createRemoteJWKSet(endpoint);