How can I validate accessToken on the protected API in NodeJS + Express?

Question

Stefano Cappa 0

I ctreated a small app using this example https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/samples/msal-node-samples/auth-code-pkce/src/index.ts as a starting point to login and obtain an accessToken from Entra. Everything seems ok, because I receive a valid JWT as expected. Then I created another microservice to expose protected APIs, so I need to implement a JWT validation.

When I try to validate accessToken via jwks-rsa and jsonwebtoken packages I always receive error: "invalid signature".

I don't understand how to fix this issue and how to debug it to understand what is wrong.

Do you have any suggestions?

thanks

Carolyne-3676 1,116 Reputation points

2026-02-16T09:01:00.5166667+00:00

Typically this error can occur for several reasons. I would generally check these for a start:
-->Verify you are validating the correct access token for your API. Decode the token (for example, using jwt.ms) and confirm the aud claim matches your API’s Application ID URI or client ID—signature validation will fail if you send a Microsoft Graph token to a custom API or request the wrong scope.
-->Validate issuer, algorithm, and signature correctly. Ensure the iss claim exactly matches your authority (https://login.microsoftonline.com/{tenantId}/v2.0), validate using RS256 with the public key from JWKS (not the client secret), and follow Microsoft’s signature‑validation troubleshooting flow (decode token → check aud, iss, kid → verify signing key).
https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/troubleshooting-signature-validation-errors and https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens
These two docs should be able to unblock.
Stefano Cappa 0 Reputation points

2026-02-19T11:14:49.48+00:00

Thanks problem solved. I was using the wrong token (access and not id).

Your answer

Carolyne-3676 1,116 Reputation points

2026-02-16T09:01:00.5166667+00:00

Typically this error can occur for several reasons. I would generally check these for a start:
-->Verify you are validating the correct access token for your API. Decode the token (for example, using jwt.ms) and confirm the aud claim matches your API’s Application ID URI or client ID—signature validation will fail if you send a Microsoft Graph token to a custom API or request the wrong scope.
-->Validate issuer, algorithm, and signature correctly. Ensure the iss claim exactly matches your authority (https://login.microsoftonline.com/{tenantId}/v2.0), validate using RS256 with the public key from JWKS (not the client secret), and follow Microsoft’s signature‑validation troubleshooting flow (decode token → check aud, iss, kid → verify signing key).
https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/troubleshooting-signature-validation-errors and https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens
These two docs should be able to unblock.
Stefano Cappa 0 Reputation points

2026-02-19T11:14:49.48+00:00

Thanks problem solved. I was using the wrong token (access and not id).