Can resource server validate JWT signature?

I am new to OAuth and OIDC; what I know about it at a high level suggests that my resource servers/microservices can pass JWTs to each other in requests and validate the JWT themselves, using the publickeys retrieved from the Authentication Server. Is this correct?

The challenge I’m running into is that given the JWKS keys that I’m retrieving, I don’t see a way to validate the signature in the tokens. I see a lot of ‘stuff’ there (x509 cert and thumbprint, keytype and algorithm, RSA modulus ‘n’ and exponent ‘e’) but I don’t understand how I can use these to validate the sign. Are there libraries available for this? I can see that successfully validates the tokens; I wonder how they do it?

There should be libraries available to parse the key set in whatever language you use. Likely the most popular PHP library (firebase/php-jwt) makes it super easy to work with the JWKS response. See

Thanks, yes parsing it has been successful and is pretty easy which is great.

But all the APIs I’ve seen validate the signatures by calling the Auth Server (I wiresharked them just to be sure). Does anybody know of any client-libraries that actually validate signatures in process rather than sending it to the AS?

If I understood well, you are looking for offline token validation.
I am doing it in my project using a library (written in lua), take a look at the library here: kong-plugin-jwt-keycloak maybe can help you implement one by yourself.