In an asymmetric algorithm, a JWT token is signed with an Identity Provider’s private key. To verify the signature of the token, one will need to have a matching public key. This post will cover how to use the JWT tool at to verify the signature of an signed Azure AD token (either access or id token).


  • You should only validate the token intended for your own resource.  Using the technique below to validate the signature of a Microsoft First Party Apps token (for example token audience is for Microsoft Graph resource) may fail.
  • utility is a 3rd party tool.  We (Microsoft) have no knowledge of how this site utilizes the token information.
  • To see the token claim information, we recommend using the Microsoft utility since the site does not cache token information.

Verifying the token signature

  1. Browse to and paste the JWT token into Encoded text box. The tool should automatically detect the token’s signature algorithm (RS256) and displays the token into 3 parts: header, payload, and signature. Note the “kid” field in the header. This is the key id of the certificate used to sign the token

    Scrolling down a little you will see the version of the token (v1 token in this case) and it will say “invalid signature”. This is expected since at this point we have not provided any certificate info for the tool to verify the token signature.

  2. Find the jwks URL info from Azure AD’s OIDC well-known endpoint. Depending upon your token version, use the correct well known endpoint (make sure to supply the correct tenant name in the well known URL):

    V1 token:{tenant name}/.well-known/openid-configuration

    V2 token:{tenant name}/v2.0/.well-known/openid-configuration

    For my case, I use the V1 OIDC endpoint. You can either paste the URL into a web browser or postman to find the “jwks_uri” field from the response:

  3. From the JWKS URI endpoint, find the key that has a matching kid (key id) as the token. Copy the long text string from the key’s x5c field. This is the public key section

  4. Enclose the x5c string in the BEGIN CERTIFICATE / END CERTIFICATE block as followed:



    ‑‑‑‑‑END CERTIFICATE‑‑‑‑‑

  5. Now copy entire text above into the 1st textbox under “Verify Signature” section and the Invalid Signature text should change to “Signature Verified”



The above steps show a manual way to validate the JWT token’s signature given the certificate’s public key.


0 0 vote
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
July 13, 2020 11:24 am

if I don’t find the kid in<tenantId>/discovery/v2.0/keys, what can be the reason? I’m using AAD b2c, in case this makes a difference.

July 13, 2020 11:46 am

aha, for B2C, one has to use

to get the config and then from there to the keys discovery

chris ondrovic
chris ondrovic
August 22, 2020 8:16 pm

any idea how to get it validate tokens with the audience of Seems like it always returns invlaid signature