Token Validation
Token validation confirms that an incoming access token was issued by the trusted TokenIDP instance and is intended for the receiving API.
Validation Checklist
- Validate the token signature using JWKS.
- Validate issuer.
- Validate audience.
- Validate expiration.
- Enforce scopes, roles, tenant, or policy claims required by the API.
Common Pitfalls
- Checking only that the token is well-formed.
- Skipping audience validation.
- Trusting claims without validating the signature and issuer.
Troubleshooting
- If validation fails after key rotation, refresh the API's JWKS cache.