This is an experimental feature, it is not subject to semantic versioning rules. Non-backward compatible changes or removal may occur in any future release.

Validates use of JSON Web Token (JWT) OAuth 2.0 Access Tokens for a given Request as per RFC 9068 and optionally also RFC 9449.

This does validate the presence and type of all required claims as well as the values of the JWTAccessTokenClaims.iss | iss, JWTAccessTokenClaims.exp | exp, JWTAccessTokenClaims.aud | aud claims.

This does NOT validate the JWTAccessTokenClaims.sub | sub, JWTAccessTokenClaims.jti | jti, and JWTAccessTokenClaims.client_id | client_id claims beyond just checking that they're present and that their type is a string. If you need to validate these values further you would do so after this function's execution.

This does NOT validate the DPoP Proof JWT nonce. If your server indicates RS-provided nonces to clients you would check these after this function's execution.

This does NOT validate authorization claims such as scope either, you would do so after this function's execution.