Error while validating token using jwt verifier


I am trying to validate my access token using okta jwt verified , by referring to the link

But getting the below error.(Issuer I am using is https://<OKTA_URL>/oauth2/default/v1/authorize)

Caused by: io.jsonwebtoken.JwtException: Failed to fetch keys from URL: https:/oauth2/default/v1/keys
at com.okta.jwt.impl.jjwt.RemoteJwkSigningKeyResolver.updateKeys(
at com.okta.jwt.impl.jjwt.RemoteJwkSigningKeyResolver.getKey(
at com.okta.jwt.impl.jjwt.RemoteJwkSigningKeyResolver.resolveSigningKey(
at io.jsonwebtoken.impl.DefaultJwtParser.parse(
at io.jsonwebtoken.impl.DefaultJwtParser.parse(

Any help is much appreciated.



Can you please switch the issuer to https://<OKTA_URL>/oauth2/default from https://<OKTA_URL>/oauth2/default/v1/authorize and try once again?

Hi Dragos,

Thanks for your response and changing the issuer URL fixed the issue.


1 Like

Hi Dragos,

I think I might need your help again on this.Our requirement is to generate an access token which will be used to invoke a API call (for example - listusers).To achieve this the scope should be “” . I tried generating access token with different ways but the JWT Validator is always failing.

For JWT Validator,I am using the below configuration
String issuerUrl = “https://<OKTA_URL>/oauth2/default”;
String audience = “api://default”;

Option 1 : Tried generating access token with “default” in the URL

Output - http://<REDIRECT_URI>/#state=1234&error=invalid_scope&error_description=One+or+more+scopes+are+not+configured+for+the+authorization+server+resource.

Option 2: Generated access token without “default” in the URL

Output - JWT error - A signing key must be specified if the specified JWT is digitally signed.

Option 3 - Using the site,I am able to generate an access token,which is getting validated by JWT validator but this site doesnt support scope.

Let me know if you have any thoughts/suggestions.

Thanks in advance


I’ve checked on my end and, indeed, OAuth for Okta scopes can only be requested at the moment from Okta authorization server (eg. /oauth2/v1/authorize), meaning that the only way to verify this tokens is by doing an introspect and check if the token is returned as active or not.

@dragos how can i use introspect call in postman for okta org authorization server?
It is silly question but please help.
Thank you

Hi @Shubham6541

You can use the same call basically as for the custom authorization servers:

curl --location --request POST '' \
--header 'Accept: application/json' \
--header 'Authorization: Basic MG9hN...' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=TOKEN_HERE'