Fetch the provider's OpenID Connect discovery document from the well-known configuration URL (typically /.well-known/openid-configuration) to obtain the jwks_uri and issuer values
Download the JSON Web Key Set from jwks_uri and cache it with a short TTL; implement cache-busting by re-fetching when a token arrives with an unrecognized kid
Decode the ID token header (without verifying) to extract the kid and alg fields, then locate the matching key in the cached JWKS
Verify the token signature using the selected public key and the algorithm declared in the header; reject tokens with alg=none or unexpected algorithms
Validate standard claims: iss must equal the issuer from discovery, aud must contain your client_id, exp must be in the future, and iat must be reasonably recent
If using nonce-based replay protection, verify the nonce claim matches the value you sent in the authorization request
Known gotchas
Do not rely solely on the token's own iss claim to select a trusted issuer; validate against a pre-configured allowlist
Asymmetric algorithms (RS256, ES256) are strongly preferred over symmetric (HS256) for multi-party scenarios because the private key never leaves the provider
Clock skew between your server and the provider can cause valid tokens to fail exp or nbf checks; allow a small tolerance (typically under 5 minutes)
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp