Is the JWT Token Validated?

There's really two main ways that token validation and information from the token is extracted for the resources to use. One is to include it directly in the JWT and the resource server validates that and extracts the information from it directly. The other method that is standardized in an RFC is to do what's called introspection, which is, I guess, sort of a misleading name. But either way with the certificate binding, there's a hash of the certificate included in the token. And so ultimately the resource either gets that directly from the JWT or through introspection.