Share via

Microsoft Graph API – InvalidAuthenticationToken ("Signature is invalid") for Mail Endpoints

Tushar Raj 0 Reputation points
2026-03-28T13:21:03.64+00:00

Hello Team,

I am currently integrating with the Microsoft Graph API and encountering an issue specifically with mail-related endpoints.

Issue Summary

  • The endpoint GET https://graph.microsoft.com/v1.0/me works successfully using my access token.

However, when calling:

GET https://graph.microsoft.com/v1.0/me/mailFolders

  `GET https://graph.microsoft.com/v1.0/me/messages`
```I receive the following error:


```json
{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Signature is invalid."
  }
}

Token Details

The same access token is used for both working and failing endpoints.

  • Token contains the following scopes: (see screenshot)
    User's image

Token includes scp (delegated permissions), not roles.

Audience (aud) is set to https://graph.microsoft.com.

Token is not expired and was freshly generated.

Additional Observations

The issue persists even when using the same token in Microsoft Graph Explorer.

  • /me endpoint works when calling from backend but same token returning 401 when calling from Graph Explorer.

Error specifically mentions "Signature is invalid", which is unexpected given that the same token works for other Graph endpoints.

Questions

Is there any scenario where a token is valid for /me but considered invalid for mail endpoints?

Could this be related to tenant configuration, account type (personal vs work), or Exchange Online mailbox availability?

Are there any additional validations specific to mail APIs that could cause this behavior?

Request

Could you please help identify the root cause of this issue and guide on how to resolve it?

If needed, I can share additional token metadata (excluding sensitive information).

Thank you for your support.

Best regards, Tushar

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-03-28T13:22:12.54+00:00

    Yes, a token can appear to work for /me but fail with InvalidAuthenticationToken on mail endpoints when:

    1. The token is not actually valid for Microsoft Graph from the resource’s point of view (for example, wrong audience or issuer), or
    2. The resource that validates the token is different and performs stricter signature checks.

    For Microsoft Graph, the error InvalidAuthenticationToken with message Signature is invalid indicates that Graph cannot validate the token’s signature. This is independent of the scopes such as Mail.Read; it means Graph treats the token itself as invalid, not merely under‑privileged.

    From the provided details and the context, the most likely causes and checks are:

    1. Verify the audience (aud) claim is for Microsoft Graph
      Use a JWT decoder such as https://jwt.ms to inspect the token and confirm that aud is one of the supported Microsoft Graph values:
      • https://graph.microsoft.com or https://graph.microsoft.com/
      • or the GUID 00000003-0000-0000-c000-000000000000
        If the aud is for another API (for example, a custom API or Outlook REST), Graph will reject the token with a signature validation error even if some endpoints appear to work. Acquire the token with a Microsoft Graph scope such as Mail.Read or https://graph.microsoft.com/.default so that the aud is set correctly.
    2. Confirm the issuer (iss) and signing key (kid) are valid for the tenant
      Still using https://jwt.ms, check:
      • iss matches the Microsoft Entra ID issuer for the tenant.
      • kid corresponds to a signing key that Graph can retrieve from the tenant’s OpenID configuration.
        If the signing metadata is stale or misconfigured, Graph cannot validate the signature and returns InvalidAuthenticationToken.
    3. Ensure the token is acquired for Microsoft Graph, not reused from another resource
      The audience claim is determined by the scope parameter when acquiring the token. For example, to get a token for a custom API https://api.contoso.com, the scope must be like https://api.contoso.com/read. A token acquired for such a scope cannot be reused against Microsoft Graph; Graph will fail signature validation. Acquire a fresh token specifically for Microsoft Graph using the proper scopes.
    4. Do not rely on inspecting or reusing access tokens across components
      Application code should not attempt to decode or repurpose access tokens. Tokens might be encrypted or change format, and reusing them for different resources can lead to exactly these signature validation issues. Instead, each component should acquire its own token for the resource it calls, using a library such as MSAL.
    5. Distinguish between token validity and permissions
      • If the token is invalid (wrong audience, issuer, or signature), Graph returns 401 with InvalidAuthenticationToken and Signature is invalid.
      • If the token is valid but lacks mail permissions, Graph returns 403 with a permissions-related error.
        In this case, the presence of mail scopes in scp is not relevant until the token’s signature is accepted.
    6. Mailbox or account state does not cause Signature is invalid
      Issues such as no mailbox, disabled mailbox, or personal vs. work account typically result in different error codes (for example, ErrorMailboxNotFound or OrganizationFromTenantGuidNotFound). They do not cause a signature validation failure. The error here points specifically to token acquisition or configuration, not Exchange mailbox availability.

    Recommended resolution steps:

    1. Decode the failing token with https://jwt.ms.
    2. Confirm aud is one of the Microsoft Graph values listed above.
    3. Confirm iss matches the tenant’s issuer and that the token is issued by Microsoft Entra ID for that tenant.
    4. Acquire a new access token for Microsoft Graph using MSAL and a Graph scope (Mail.Read, Mail.ReadWrite, etc.), then call /me/mailFolders and /me/messages with that token in the Authorization: Bearer <token> header.
    5. If the error persists even with a freshly acquired Graph token, investigate tenant authorization server metadata (for example, if using on‑premises components or custom auth servers) and refresh or correct the configuration so that Graph can retrieve the correct signing keys.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.