<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Access Token Validation Failure Due to Kid Mismatch
Mar 31, 2025
API Access Management
Overview

Signature validation fails on access tokens that are minted by a custom authorization server configured in Okta.

Applies To
  • OAuth 2.0
  • Custom Authorization Server
  • JWT Verifier
  • Token Validation
  • Automatic Key Rotation
Cause

Signature validation of the access token fails if the "kid" (key identifier) in the access token header does not have a corresponding kid in the JWKS (https://${DomainName}/oauth2/${authorizationServerId}/v1/keys) response from Okta. This could occur when the application caches signing keys, and automatic key rotation is enabled in Okta, and if Okta rotates the keys automatically, leading to reading stale keys from the cache that fails validation.

Solution

Clients that cache keys should periodically check the JWKS for updated signing keys. Okta recommends a blended approach of regularly caching keys for performance and just-in-time checking by retrieving keys dynamically from the keys endpoint if the key read from the cache fails signature validation.


Caching: Okta recommends a background process that regularly caches the /keys endpoint. This process can be completed once a day or more infrequently, for example, once per week. This ensures that an up-to-date set of keys for validation is always available, even when the next key is generated or rotated automatically at the 45 or 90-day mark, respectively.

If any of the below Okta libraries for JWT Validation are being used, see the recommendation:

  • okta-jwt-verifier-js, keys are cached by keyID by default for 1 hour. cacheMaxAge option can be configured for cache entries. If a key ID is not found in the cache, the JWKs endpoint will be requested.
  • okta-jwt-verifier-golang has a default cache with a 5-minute expiry and 10-minute purge setting. This verifier can also be configured with a custom cache function that implements the Cacher interface the library provides. Find more details Customizable Resource Cache documentation.
jwtVerifierSetup := jwtverifier.JwtVerifier{
    Cache: NewForeverCache,
    // other fields here
}


verifier := jwtVerifierSetup.New()
  • okta-jwt-verifier-php: Custom cache function that implements \Psr\SimpleCache\CacheInterface can be passed to the Adaptor constructor. See Caching for more details.

NOTE: This article discusses access token validation issues when using a Custom Authorization Server. If using the Org Authorization Server, local validation of Access Tokens is not supported, as described in this article: Validation Failed on Access Token Issued by the Org Authorization Server.

 

Related References

Recommended content

Still looking for help?
Loading
Access Token Validation Failure Due to Kid Mismatch