Signature validation failed. Unable to match keys kid

I have an angular application with .net core backend. I am authenticating the angular app and getting back the JWT token. I created an interceptor and I am passing the Bearer token in the header back to the .Net service. I am trying to authorize the backend end point using the JWT token and I am getting 401
Bearer was not authenticated. Failure message: IDX10501: Signature validation failed. Unable to match keys:
kid: '_S5j0lZKMpwMp73sUrVNGfvPXcMwf…

in my .Net code I am doing the JWT authentication
.AddJwtBearer(options =>
options.TokenValidationParameters = new TokenValidationParameters
ValidateIssuer = true,
ValidateAudience = true,
ValidateIssuerSigningKey = true,
ValidIssuer = Configuration[“Okta:Domain”],
ValidAudience = Configuration[“Okta:aud”]


I know I might be missing the SigningKey validation but how can I get the singing key?
I followed what’s in
but https://{domain}/oauth2/default/.well-known/oauth-authorization-server is returning
“You do not have permission to access the feature you are requesting”

Am I doing the right thing here? All what I want is to use the JWT token I get back when I authenticate and use it to authenticate and authorize my back end end points.

Appreciate any help?


ValidIssuer = Configuration[“Okta:Domain”],

It sounds like you are trying to validate a token issued by the Okta Org Authorization Server instead of a Custom Authorization Server, is that right?

In order to validate your tokens locally (instead of remotely by sending them to the /introspect endpoint), you will need to have the API Access Management feature enabled in your Okta instance so that you can use a Custom Authorization Server. You can read about this here: