diff --git a/src/api2/access/openid.rs b/src/api2/access/openid.rs
index bd6f7dee..8e39cbc9 100644
--- a/src/api2/access/openid.rs
+++ b/src/api2/access/openid.rs
@@ -21,7 +21,7 @@ use pbs_buildcfg::PROXMOX_BACKUP_RUN_DIR_M;
 use pbs_config::open_backup_lockfile;
 use pbs_config::CachedUserInfo;
 
-use crate::auth::auth_keyring;
+use crate::auth::private_auth_keyring;
 use crate::auth_helpers::*;
 
 fn openid_authenticator(
@@ -200,7 +200,7 @@ pub fn openid_login(
         }
 
         let api_ticket = ApiTicket::Full(user_id.clone());
-        let ticket = Ticket::new("PBS", &api_ticket)?.sign(auth_keyring(), None)?;
+        let ticket = Ticket::new("PBS", &api_ticket)?.sign(private_auth_keyring(), None)?;
         let token = assemble_csrf_prevention_token(csrf_secret(), &user_id);
 
         env.log_auth(user_id.as_str());
diff --git a/src/api2/node/mod.rs b/src/api2/node/mod.rs
index db6d67ac..931143fd 100644
--- a/src/api2/node/mod.rs
+++ b/src/api2/node/mod.rs
@@ -26,7 +26,7 @@ use proxmox_sys::fd::fd_change_cloexec;
 
 use pbs_api_types::{NODE_SCHEMA, PRIV_SYS_CONSOLE};
 
-use crate::auth::auth_keyring;
+use crate::auth::{private_auth_keyring, public_auth_keyring};
 use crate::tools;
 
 pub mod apt;
@@ -119,7 +119,7 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
     let port = listener.local_addr()?.port();
 
     let ticket = Ticket::new(crate::auth::TERM_PREFIX, &Empty)?.sign(
-        auth_keyring(),
+        private_auth_keyring(),
         Some(&tools::ticket::term_aad(userid, path, port)),
     )?;
 
@@ -290,7 +290,7 @@ fn upgrade_to_websocket(
 
         // will be checked again by termproxy
         Ticket::<Empty>::parse(ticket)?.verify(
-            auth_keyring(),
+            public_auth_keyring(),
             crate::auth::TERM_PREFIX,
             Some(&tools::ticket::term_aad(userid, "/system", port)),
         )?;
diff --git a/src/auth.rs b/src/auth.rs
index 533f3b9d..e6331e6a 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -7,7 +7,7 @@ use std::pin::Pin;
 
 use anyhow::{bail, Error};
 use futures::Future;
-use once_cell::sync::OnceCell;
+use once_cell::sync::{Lazy, OnceCell};
 use proxmox_router::http_bail;
 use serde_json::json;
 
@@ -221,13 +221,17 @@ pub(crate) fn authenticate_user<'a>(
     })
 }
 
+static PRIVATE_KEYRING: Lazy<Keyring> =
+    Lazy::new(|| Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into()));
+static PUBLIC_KEYRING: Lazy<Keyring> =
+    Lazy::new(|| Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into()));
 static AUTH_CONTEXT: OnceCell<PbsAuthContext> = OnceCell::new();
 
 pub fn setup_auth_context(use_private_key: bool) {
     let keyring = if use_private_key {
-        Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into())
+        &*PRIVATE_KEYRING
     } else {
-        Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into())
+        &*PUBLIC_KEYRING
     };
 
     AUTH_CONTEXT
@@ -241,15 +245,16 @@ pub fn setup_auth_context(use_private_key: bool) {
     proxmox_auth_api::set_auth_context(AUTH_CONTEXT.get().unwrap());
 }
 
-pub(crate) fn auth_keyring() -> &'static Keyring {
-    &AUTH_CONTEXT
-        .get()
-        .expect("setup_auth_context not called")
-        .keyring
+pub(crate) fn private_auth_keyring() -> &'static Keyring {
+    &*PRIVATE_KEYRING
+}
+
+pub(crate) fn public_auth_keyring() -> &'static Keyring {
+    &*PUBLIC_KEYRING
 }
 
 struct PbsAuthContext {
-    keyring: Keyring,
+    keyring: &'static Keyring,
     csrf_secret: Vec<u8>,
 }
 
@@ -260,7 +265,7 @@ impl proxmox_auth_api::api::AuthContext for PbsAuthContext {
 
     /// Get the current authentication keyring.
     fn keyring(&self) -> &Keyring {
-        &self.keyring
+        self.keyring
     }
 
     /// The auth prefix without the separating colon. Eg. `"PBS"`.
diff --git a/src/client_helpers.rs b/src/client_helpers.rs
index da179831..c7c595b2 100644
--- a/src/client_helpers.rs
+++ b/src/client_helpers.rs
@@ -5,14 +5,15 @@ use pbs_client::{HttpClient, HttpClientOptions};
 
 use proxmox_auth_api::ticket::Ticket;
 
-use crate::auth::auth_keyring;
+use crate::auth::private_auth_keyring;
 
 /// Connect to localhost:8007 as root@pam
 ///
 /// This automatically creates a ticket if run as 'root' user.
 pub fn connect_to_localhost() -> Result<pbs_client::HttpClient, Error> {
     let options = if nix::unistd::Uid::current().is_root() {
-        let ticket = Ticket::new("PBS", Userid::root_userid())?.sign(auth_keyring(), None)?;
+        let ticket =
+            Ticket::new("PBS", Userid::root_userid())?.sign(private_auth_keyring(), None)?;
         let fingerprint = crate::cert_info()?.fingerprint()?;
         HttpClientOptions::new_non_interactive(ticket, Some(fingerprint))
     } else {