4.1.5 Token Verification

Typically, a software library is used to decode and validate the JWT. While the specifics of this process depend on the library used and the details of the token provider, the following framework identifies the steps the server must take. A failure at any step would cause the request to be denied.

1. The token string MUST parse as valid JWT.
2. The signature MUST be verified using the signing secret or key.
3. The claims are verified. Apart from the iat and exp as discussed above, ETP does not specify how the server verifies other claims, such as audience and subject.