function validateJWT(token, audience):

  // 1. Split and decode (no verification yet)
  [header_b64, payload_b64, signature_b64] = token.split(".")
  header   = base64url_decode(header_b64)
  payload  = base64url_decode(payload_b64)
  
  // 2. Look up the signing key
  kid = header.kid
  key = jwksCache.get(kid)
  if key is null:
    jwksCache.refresh()           // re-fetch from ServerSSO
    key = jwksCache.get(kid)
  if key is null:
    throw InvalidTokenError("Unknown kid")

  // 3. Verify signature
  message  = header_b64 + "." + payload_b64
  if NOT RSA_SHA256_verify(message, signature_b64, key.publicKey):
    throw InvalidTokenError("Bad signature")

  // 4. Validate standard claims
  if payload.exp < now():
    throw InvalidTokenError("Token expired")
  if payload.iss != "https://sso.example.com":
    throw InvalidTokenError("Wrong issuer")
  if audience NOT IN payload.aud:
    throw InvalidTokenError("Wrong audience")
  if payload.nbf is set AND payload.nbf > now():
    throw InvalidTokenError("Token not yet valid")

  // 5. Extract and return user context
  return { userId: payload.sub, roles: payload.roles, email: payload.email }