I am very new to jwt and signature validation. I had a very basic query. I am generating a token from MSAL(AAD). When I use the token in jwt.io, I can see that it automatically populates the secret key and marks the signature as verified. How does jwt.io know about this?
From generating token point of view, I didn't mention anywhere explicitly to generate the token with any secret.
You don't show the details of your token here (which is ok), but I assume the token has a kid and maybe also a jku in the header.
The kidis the Key Id, and the jku the JSON Web Key Set URL.
Under that URL (you can paste it to your browser to see) you can find a set of JWKs (JSON Web Keys), basically a collection of public keys in a special format. In case of tokens issued by AAD you the JWKS_URI can be found on https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration.
JWT.io can read this information and find the key with the given kid and verify the token based on that.
This Q/A explains the verification of JWTs issued by AAD in more detail.
