diff --git a/management/server/jwtclaims/jwtValidator.go b/management/server/jwtclaims/jwtValidator.go
index d5c1e7c9e..b91616fa5 100644
--- a/management/server/jwtclaims/jwtValidator.go
+++ b/management/server/jwtclaims/jwtValidator.go
@@ -77,6 +77,8 @@ type JWTValidator struct {
 	options Options
 }
 
+var keyNotFound = errors.New("unable to find appropriate key")
+
 // NewJWTValidator constructor
 func NewJWTValidator(ctx context.Context, issuer string, audienceList []string, keysLocation string, idpSignkeyRefreshEnabled bool) (*JWTValidator, error) {
 	keys, err := getPemKeys(ctx, keysLocation)
@@ -124,12 +126,18 @@ func NewJWTValidator(ctx context.Context, issuer string, audienceList []string,
 			}
 
 			publicKey, err := getPublicKey(ctx, token, keys)
-			if err != nil {
-				log.WithContext(ctx).Errorf("getPublicKey error: %s", err)
-				return nil, err
+			if err == nil {
+				return publicKey, nil
 			}
 
-			return publicKey, nil
+			msg := fmt.Sprintf("getPublicKey error: %s", err)
+			if errors.Is(err, keyNotFound) && !idpSignkeyRefreshEnabled {
+				msg = fmt.Sprintf("getPublicKey error: %s. You can enable key refresh by setting HttpServerConfig.IdpSignKeyRefreshEnabled to true in your management.json file and restart the service", err)
+			}
+
+			log.WithContext(ctx).Error(msg)
+
+			return nil, err
 		},
 		EnableAuthOnOptions: false,
 	}
@@ -229,7 +237,7 @@ func getPublicKey(ctx context.Context, token *jwt.Token, jwks *Jwks) (interface{
 		log.WithContext(ctx).Debugf("Key Type: %s not yet supported, please raise ticket!", jwks.Keys[k].Kty)
 	}
 
-	return nil, errors.New("unable to find appropriate key")
+	return nil, keyNotFound
 }
 
 func getPublicKeyFromECDSA(jwk JSONWebKey) (publicKey *ecdsa.PublicKey, err error) {
@@ -310,4 +318,3 @@ func getMaxAgeFromCacheHeader(ctx context.Context, cacheControl string) int {
 
 	return 0
 }
-