Verified steps

Retrieve the platform's JWKS URI from the tool registration configuration
Fetch the public key set from the JWKS URI and cache it with a short TTL
Decode the JWT header to extract the kid and alg claims
Select the matching JWK from the key set using the kid value
Verify the JWT signature and validate standard claims: iss, aud, exp, iat, nonce, and the https://purl.imsglobal.org/spec/lti/claim/message_type claim
Confirm the nonce matches a value your tool stored prior to the OIDC login initiation to prevent replay attacks

Known gotchas

Platforms may rotate keys without notice; always re-fetch JWKS on a kid-not-found error rather than failing immediately
The aud claim may be a string or a JSON array; handle both forms or token validation will incorrectly reject valid launches
The nonce must be one-time-use and time-bounded; store it server-side and delete it on first use

openid.net · 6 steps · unrated

Validate Xero webhook signatures to authenticate incoming payloads

developer.xero.com · 6 steps · unrated

Implement and validate webhook signature verification for multiple IDV providers

identity-general · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Validate an LTI 1.3 id_token JWT from a platform using the platform's JWKS endpoint

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes