As outlined in this doc, you need to make sure, at a minimum, that the aud, roles, and iss claims are as expected, and that can only be done by looking at a JWT and examining those claims. If you use a library that supports JWKS, doing this should be super simple.

Note that the FusionAuth API endpoint validates JWTs at a basic level. It ensures that the JWT hasn't expired and that it was signed correctly.

The reasons to use the API endpoint are:

• If you have an HMAC signed JWT and you don't want to share the secret with the JWT consumer
• If you have no JWT library that is available (whether because it hasn't been written, or you don't want to deploy it with your application)
• You are willing to accept a network call instead of loading up a such a library