Issued-at validation and expiry validation is performed using the clock on this local client,
so local clock inaccuracies can lead to incorrect validation results.
Use IssuedAtClockTolerance and ExpirationTimeClockTolerance
to allow for local clock inaccuracy
IssuedAtClockTolerance defaults to 30 seconds; it is very unlikely a JWT will be issued that isn't already valid.
ExpirationTimeClockTolerance defaults to zero seconds; in some use-cases it may be useful to set this to a negative
value to help ensure that passing local validation means it will pass server validation.
Regardless of whether local validation passed, code must always correctly handle an invalid JWT error
from the server.
Google certificates are cached, and refreshed once per hour. This can be overridden by setting
ForceGoogleCertRefresh to true.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThe \u003ccode\u003eGoogleJsonWebSignature\u003c/code\u003e class is used to validate Google-issued JSON Web Tokens (JWTs) as specified in Google's OAuth2 Service Account documentation.\u003c/p\u003e\n"],["\u003cp\u003eThe latest version of this package is 1.69.0, with several previous versions also documented on this page, spanning from 1.68.0 back to 1.50.0.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eValidateAsync\u003c/code\u003e method checks the validity of a JWT and can throw an \u003ccode\u003eInvalidJwtException\u003c/code\u003e if validation fails, as it follows Google's JWT ID token validation procedure.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eValidateAsync\u003c/code\u003e method has two overloads, one which allows for detailed customization of validation settings and the other that provides basic JWT validation using optional parameters for clock and certificate refresh.\u003c/p\u003e\n"],["\u003cp\u003eThe class inherits members from the object class, such as \u003ccode\u003eEquals\u003c/code\u003e, \u003ccode\u003eGetHashCode\u003c/code\u003e, \u003ccode\u003eGetType\u003c/code\u003e, and \u003ccode\u003eToString\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Class GoogleJsonWebSignature (1.69.0)\n\nVersion latestkeyboard_arrow_down\n\n- [1.69.0 (latest)](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.GoogleJsonWebSignature)\n- [1.68.0](/dotnet/docs/reference/Google.Apis/1.68.0/Google.Apis.Auth.GoogleJsonWebSignature)\n- [1.60.0](/dotnet/docs/reference/Google.Apis/1.60.0/Google.Apis.Auth.GoogleJsonWebSignature)\n- [1.59.0](/dotnet/docs/reference/Google.Apis/1.59.0/Google.Apis.Auth.GoogleJsonWebSignature)\n- [1.55.0](/dotnet/docs/reference/Google.Apis/1.55.0/Google.Apis.Auth.GoogleJsonWebSignature)\n- [1.50.0](/dotnet/docs/reference/Google.Apis/1.50.0/Google.Apis.Auth.GoogleJsonWebSignature) \n\n public class GoogleJsonWebSignature\n\nGoogle JSON Web Signature as specified in \u003chttps://developers.google.com/accounts/docs/OAuth2ServiceAccount\u003e. \n\nInheritance\n-----------\n\n[object](https://learn.microsoft.com/dotnet/api/system.object) \\\u003e GoogleJsonWebSignature \n\nInherited Members\n-----------------\n\n[object.Equals(object)](https://learn.microsoft.com/dotnet/api/system.object.equals#system-object-equals(system-object)) \n[object.Equals(object, object)](https://learn.microsoft.com/dotnet/api/system.object.equals#system-object-equals(system-object-system-object)) \n[object.GetHashCode()](https://learn.microsoft.com/dotnet/api/system.object.gethashcode) \n[object.GetType()](https://learn.microsoft.com/dotnet/api/system.object.gettype) \n[object.MemberwiseClone()](https://learn.microsoft.com/dotnet/api/system.object.memberwiseclone) \n[object.ReferenceEquals(object, object)](https://learn.microsoft.com/dotnet/api/system.object.referenceequals) \n[object.ToString()](https://learn.microsoft.com/dotnet/api/system.object.tostring)\n\nNamespace\n---------\n\n[Google.Apis.Auth](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth)\n\nAssembly\n--------\n\nGoogle.Apis.Auth.dll\n\nMethods\n-------\n\n### ValidateAsync(string, ValidationSettings)\n\n public static Task\u003cGoogleJsonWebSignature.Payload\u003e ValidateAsync(string jwt, GoogleJsonWebSignature.ValidationSettings validationSettings)\n\nValidates a Google-issued Json Web Token (JWT).\nWill throw a [InvalidJwtException](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.InvalidJwtException) if the specified JWT fails any validation check.\n\n**Remarks** \nFollows the procedure to\n[validate a JWT ID token](https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken).\n\n\nIssued-at validation and expiry validation is performed using the clock on this local client,\nso local clock inaccuracies can lead to incorrect validation results.\nUse [IssuedAtClockTolerance](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.GoogleJsonWebSignature.ValidationSettings#Google_Apis_Auth_GoogleJsonWebSignature_ValidationSettings_IssuedAtClockTolerance) and [ExpirationTimeClockTolerance](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.GoogleJsonWebSignature.ValidationSettings#Google_Apis_Auth_GoogleJsonWebSignature_ValidationSettings_ExpirationTimeClockTolerance)\nto allow for local clock inaccuracy\n`IssuedAtClockTolerance` defaults to 30 seconds; it is very unlikely a JWT will be issued that isn't already valid.\n`ExpirationTimeClockTolerance` defaults to zero seconds; in some use-cases it may be useful to set this to a negative\nvalue to help ensure that passing local validation means it will pass server validation.\nRegardless of whether local validation passed, code must always correctly handle an invalid JWT error\nfrom the server.\n\nGoogle certificates are cached, and refreshed once per hour. This can be overridden by setting\n[ForceGoogleCertRefresh](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.GoogleJsonWebSignature.ValidationSettings#Google_Apis_Auth_GoogleJsonWebSignature_ValidationSettings_ForceGoogleCertRefresh) to true.\n\n### ValidateAsync(string, IClock, bool)\n\n public static Task\u003cGoogleJsonWebSignature.Payload\u003e ValidateAsync(string jwt, IClock clock = null, bool forceGoogleCertRefresh = false)\n\nValidates a Google-issued Json Web Token (JWT).\nWill throw a [InvalidJwtException](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Auth.InvalidJwtException) if the passed value is not valid JWT signed by Google.\n\n**Remarks** \nFollows the procedure to\n[validate a JWT ID token](https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken).\n\nGoogle certificates are cached, and refreshed once per hour. This can be overridden by setting\n`forceGoogleCertRefresh` to true.\n\nExtension Method\n----------------\n\n[Utilities.ThrowIfNull\\\u003cT\\\u003e(T, string)](/dotnet/docs/reference/Google.Apis/latest/Google.Apis.Util.Utilities#Google_Apis_Util_Utilities_ThrowIfNull__1___0_System_String_)"]]
