Okta AS Keys mismatch what jwt.io reports

I’d like to be able to verify the signature on a JWT in the applications rather than have to use an SDK that accesses the Auth Server.

My understanding is that I can request the public keys via https://{myOktaDomain}/oauth2/default/v1/keys then use them to validate the signature on the JWT. I am using http://jwt.io to initially debug this by getting a valid JWT access token then pasting it into jwt.io.

This is all working and jwt.io reports a valid token and signature. Problem is in the jwt.io signature area it is reporting a different public key than the one I am receiving from the JWKS URL above. Does anybody know why I’m seeing this? Is there something I have to do to the JWKS result before using it to validate the signature?

… as a followup, what it appears http://jwt.io is doing is querying the ‘iss’ for it’s well-known public keys, then using that to find the key for ‘kid’ from this token, and then using that key to validate the signature on this token. It then displays that base64-encoded publickey in the ‘VERIFY SIGNATURE’ portion between standard BEGIN/END lines:

-----BEGIN PUBLIC KEY-----
{publickey from the issuer}
-----END PUBLIC KEY---

When I query the key from my Okta issuer’s JWKS URL and paste it into jwt.io, it says ‘INVALID SIGNATURE’, BUT …

When replace the whole PEM structure including the BEGIN/END lines with the full JWKS JSON object, it says VALID SIGNATURE.

So clearly, I’m supposed to be changing the resulting JWKS object, but what am I supposed to be doing to it??