![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Anonymous ,
Thanks for reaching out.
An access token contains claims that you can use in Azure Active Directory to identify the granted permissions to your APIs. For validation, developers can also decode JWTs using jwt.ms and perform several checks against the claims in the token as:
• audience - Verifies that the token was intended to be given to your application. Access tokens are created based on the audience of the token,
meaning the application that owns the scopes in the token.
• not before and expiration time - Verifies that the token hasn't expired.
• issuer - Verifies that the token was issued to your application by Azure AD.
• nonce - A strategy for token replay attack mitigation.
When your internal application receives an access token, it must validate the signature to prove that the token is authentic. Your application/API must also validate a few claims in the token to prove that it is valid.
To Verify the JWT token:
- Verify that the JWT contains three segments, separated by two period ('.') characters.
- Parse the JWT to extract its three components. The first segment is the Header, the second is the Payload, and the third is the Signature. Each segment is base64url encoded.
- Signature contains the digital signature of the token that was generated by Azure AD’s private key and verify that the token was signed by the sender.
To validate the authenticity of the JWT token’s data is by using Azure AD’s public key to verify the signature.
You can obtain public key by calling the public Azure AD OpenID configuration endpoint: https://login.microsoftonline.com/common/.well-known/openid-configuration and verify against the private key generated by Azure AD token.
If it works, you know the contents were signed with the private key. If not, you can’t be sure of it so you should treat the JWT token as an invalid token.
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 45%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)