![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 1%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
910 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Akhtar Naved ,
Thanks for reaching out.
I understand you are looking to verify the signature of the access token issued by Azure Ad by using public endpoint.
The OpenID discovery document contains the public keys that can be used to validate the signature of the token**.**
The x5c property in the JSON Web Key (JWK) set returned by the OpenID discovery document contains the public key in the form of an X.509 certificate. To validate the signature of the token, you need to extract the public key from the certificate and use it to verify the signature.
You need to obtain public key by calling the public Azure AD OpenID configuration endpoint:
https://login.microsoftonline.com/{tenant_id}/discovery/keys?appid={client_id} and verify against the private key generated by Azure AD token.
You need to decode your access token using jwt.ms and extract the "kid" from the header and need to match that kid should exist with the public keys.
If it matches, you know the contents were signed with the private key. If not, you can’t be sure of it so you should treat the JWT token as an invalid token.
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.