How to validate JWT with only a public key

Question

How to validate JWT with only a public key

Neščivera Ján (ERNI) 45

Hello,

we have an APIM policy attempting to validate incoming JWT using public key modulus, exponent and id.

This policy however seems to not validate JWT signature for some reason. When I change key modulus, exponent or id, the validation still passes and request is forwarder to backend. If I change audience or issuer in the policy, the validation fails as expected.

What is the proper way to validate incoming JWT when we only have acess to public key of the identity provider?

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Neščivera Ján (ERNI) 45 Reputation points

2026-05-12T09:14:33.48+00:00

unfortunatelly I can not add the coresponding policy to the question, as it immedietely gets deleted for violating code of conduct (altought its just a simple XML)
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Neščivera Ján (ERNI) 45 Reputation points

2026-05-12T09:22:34.9566667+00:00

the screenshot of corresponding policy fragment (as when adding as XML its flagged as violating Code of conduct)
Siddhesh Desai 7,055 Reputation points Microsoft External Staff Moderator

2026-05-12T11:00:15.41+00:00
Hey @Neščivera Ján (ERNI)

Thank you for reaching out to Microsoft Q&A.

It looks like your policy is checking issuer/audience just fine but never actually using your RSA key to validate the signature. In APIM you have two options when you only have a public key:

Inline the modulus/exponent pair

Point at an OpenID-Connect metadata (JWKS) endpoint

Here’s how to do #1 (inline the key) in a <validate-jwt> policy:

<validate-jwt header-name="Authorization" require-scheme="Bearer" require-expiration-time="true" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized">  <issuer-signing-keys>  <key id="myKeyId" n="Base64UrlEncodedModulusHere" e="Base64UrlEncodedExponentHere" /> </issuer-signing-keys>  <issuers> <issuer>https://your.idp.com/</issuer> </issuers> <audiences> <audience>your-api-audience</audience> </audiences> </validate-jwt>

Key things to watch for: • Make sure you really Base64URL-encode the modulus and exponent (no padding, use “-” and “_”). • Ensure the <key id="…"> exactly matches the kid in your JWT header (or remove the id if there is none). • The <issuer-signing-keys> block must appear before your <issuers> and <audiences>.

If your identity provider exposes a JWKS endpoint, you can skip all of the above and instead use:

<validate-jwt header-name="Authorization" require-scheme="Bearer" require-expiration-time="true"> <openid-config url="https://your.idp.com/.well-known/openid-configuration" /> <issuers> <issuer>https://your.idp.com/</issuer> </issuers> <audiences> <audience>your-api-audience</audience> </audiences> </validate-jwt>

That way APIM will pull down the JWKs for you (and handle key rotation automatically).

Hope that helps you get signature validation working. If you still see signatures being ignored, can you share:

The exact <validate-jwt> fragment you’re using (screenshot is fine)

The alg and kid from your JWT header

Confirmation that your n/e values are Base64URL encoded

References:

Validate JWT policy overview & examples https://learn.microsoft.com/azure/api-management/validate-jwt-policy

Elements & key attributes (modulus/exponent, certificate-id, id) https://learn.microsoft.com/azure/api-management/validate-jwt-policy#elements

Usage notes & supported algorithms https://learn.microsoft.com/azure/api-management/validate-jwt-policy#usage

Debug your APIs with request tracing https://learn.microsoft.com/azure/api-management/api-management-howto-api-inspector
Neščivera Ján (ERNI) 45 Reputation points

2026-05-12T11:28:56.4233333+00:00

hi, I already have the setup as you describe in option #1 - I added the screenshot of the policy fragment as the separate comment (as a screenshot, becasue adding XML immediatelly flags the comment as violating the Code of conduct).
The problem is that its not working. As decribed in my original question - the JWTs pass as valid even if the kid is not matching the one specified in the policy. Also modulus and exponet seem to be ignored as when I chage them in policy to have some wrong values, the validation passes and request is forwarded to backend.

The only change to your sample is that I am using named values in the policy fragment. But even if I alter the policy to use the values directly, it still passes validation, when it should not.
Siddhesh Desai 7,055 Reputation points Microsoft External Staff Moderator

2026-05-18T12:33:54.9566667+00:00
Based on the additional details you provided, the behavior—where JWT validation succeeds even when the kid, modulus (n), or exponent (e) are incorrect—strongly indicates that signature validation is not being enforced at all, even though the policy appears correctly configured. When using <openid-config>, APIM dynamically retrieves signing keys (JWKS) and performs signature validation internally based on the kid in the token header. However, if APIM fails to correctly resolve or bind the signing keys (for example, due to JWKS fetch issues, caching inconsistencies, missing kid handling, or internal fallback behavior), it may silently skip signature validation and still validate issuer and audience. This explains why modifying issuer/audience fails as expected, but changing kid, n, or e does not impact validation. Additionally, specifying issuer-signing-keys alongside <openid-config> or relying on named values does not override this behavior if APIM prioritizes the OpenID configuration. In such cases, incorrect or mismatched keys are effectively ignored, resulting in requests being forwarded without cryptographic verification.

Refer below points to resolve this issue or this is the workaround

Force strict signature validation and confirm APIM is actually validating signatures Ensure the following attribute is present:

require-signed-tokens="true"

Then test with a deliberately tampered token (modify payload slightly). If the request still succeeds, it confirms signature validation is being skipped.

Verify JWKS retrieval and key resolution via APIM trace Enable tracing and specifically check:

Whether OpenID configuration is successfully fetched

Whether JWKS keys are retrieved

Whether a key is selected based on kid

Whether signature validation step is executed

If trace does not show key selection or signature validation, APIM is not applying the signing keys.

Check behavior when JWT has incorrect or missing kid APIM relies on kid to select the correct key from JWKS. If:

kid does not exist in JWKS

or token has no kid

APIM should fail validation. If it does not, this indicates a fallback or incorrect validation path. Validate token header explicitly:

{ "alg": "RS256", "kid": "expected-key-id" }

Ensure OpenID configuration is the only source of truth (remove any manual key overrides) Do not mix <issuer-signing-keys> with <openid-config>. Keep policy strictly as:

<validate-jwt header-name="Authorization" require-scheme="Bearer" require-signed-tokens="true"> <openid-config url="https://<issuer>/.well-known/openid-configuration" /> <audiences> <audience>your-audience</audience> </audiences> <issuers> <issuer>https://your-issuer</issuer> </issuers> </validate-jwt>

Rule out named values issue by testing hardcoded configuration Although you mentioned trying this, ensure:

No encoding issues in named values

No extra whitespace/formatting issues Sometimes named values can introduce subtle formatting problems that cause APIM to ignore parts of the configuration.

Consider APIM caching or gateway inconsistency APIM caches OpenID configuration and JWKS. Try:

Re-deploying the policy

Restarting gateway (if self-hosted)

Waiting for cache refresh

1 answer

Your answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Neščivera Ján (ERNI) 45 Reputation points

2026-05-12T09:14:33.48+00:00

unfortunatelly I can not add the coresponding policy to the question, as it immedietely gets deleted for violating code of conduct (altought its just a simple XML)
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Neščivera Ján (ERNI) 45 Reputation points

2026-05-12T09:22:34.9566667+00:00

the screenshot of corresponding policy fragment (as when adding as XML its flagged as violating Code of conduct)
Neščivera Ján (ERNI) 45 Reputation points

2026-05-12T11:28:56.4233333+00:00

hi, I already have the setup as you describe in option #1 - I added the screenshot of the policy fragment as the separate comment (as a screenshot, becasue adding XML immediatelly flags the comment as violating the Code of conduct).
The problem is that its not working. As decribed in my original question - the JWTs pass as valid even if the kid is not matching the one specified in the policy. Also modulus and exponet seem to be ignored as when I chage them in policy to have some wrong values, the validation passes and request is forwarded to backend.

The only change to your sample is that I am using named values in the policy fragment. But even if I alter the policy to use the values directly, it still passes validation, when it should not.

Answer 1

AI answer

Use the validate-jwt policy with an asymmetric issuer signing key configured from the public key. The signature is validated against the public key; if the modulus/exponent are wrong, validation must fail.

To validate with only a public key, configure one of these options in the validate-jwt policy:

Use an OpenID configuration endpoint (recommended)

<validate-jwt header-name="Authorization" require-scheme="Bearer">
  <openid-config url="https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration" />
  <audiences>
    <audience>api://your-api-app-id</audience>
  </audiences>
  <issuers>
    <issuer>https://login.microsoftonline.com/{tenant}/v2.0</issuer>
  </issuers>
</validate-jwt>

openid-config causes API Management to pull the JWKS (public keys) from the identity provider and use them to validate the JWT signature. This is the simplest and most robust way when only the public key is available.

Use modulus and exponent directly

If the OpenID configuration endpoint cannot be used, specify the RSA public key via issuer-signing-keys with n and e:

<validate-jwt header-name="Authorization" require-scheme="Bearer">
  <issuer-signing-keys>
    <key id="your-kid" n="{base64url-modulus}" e="{base64url-exponent}" />
  </issuer-signing-keys>
  <audiences>
    <audience>api://your-api-app-id</audience>
  </audiences>
  <issuers>
    <issuer>https://your-issuer</issuer>
  </issuers>
</validate-jwt>

Key points to ensure signature is actually validated:

Do not disable signing

Make sure require-signed-tokens is not set to false:

<validate-jwt header-name="Authorization" require-scheme="Bearer" require-signed-tokens="true">
  ...
</validate-jwt>

If require-signed-tokens is false, the token is accepted without signature validation, which matches the behavior described (changing key values has no effect).

Configure issuer-signing-keys correctly

Within issuer-signing-keys:

Use <key id="..." n="..." e="..." /> for an RSA public key.
n and e must be Base64url-encoded values of the modulus and exponent.
If id is set, it is matched to the token’s kid claim; if no kid matches, API Management will try all keys.

If the key element is misconfigured but require-signed-tokens is false, the token still passes. With require-signed-tokens="true", a mismatched n/e causes validation to fail.

Ensure other required elements are present

For full validation, configure:

<audiences>
  <audience>...</audience>
</audiences>
<issuers>
  <issuer>...</issuer>
</issuers>

and keep require-expiration-time at its default true unless there is a specific reason to allow tokens without exp.

Alternative: certificate-based public key

If the public key is available as a certificate uploaded to API Management, use certificate-id instead of n/e:

<issuer-signing-keys>
  <key certificate-id="your-cert-id" />
</issuer-signing-keys>

This also validates the signature using the public key from the certificate.

In summary, to ensure the JWT signature is actually validated when only a public key is available, configure validate-jwt with either openid-config or issuer-signing-keys (n/e or certificate-id) and keep require-signed-tokens="true". If changing modulus/exponent has no effect, the policy is likely not using those keys (for example, because require-signed-tokens is disabled or the token is not signed with an asymmetric algorithm supported by the policy).

References:

AI-generated content may be incorrect. Read our transparency notes for more information.

Share via

How to validate JWT with only a public key

1 answer

Your answer