"When your API receives an access token, it must validate the signature to prove that the token is authentic. Your API must also validate a few claims in the token to prove that it is valid. Depending on the scenario requirements, the claims validated by an application can vary, but your application must perform some common claim validations in every scenario"
Please let me know if you have any questions or if I misunderstood your question.
If this answer helped you please mark it as "Verified" so other users can reference it.