Thanks - that's helpful. I can see the G6 certificate that I think issued the one in the JWT (still working on that...).
But I'm still pretty unclear about what I'm expected to do with this. I'm guessing I won't always get a JWT signed by G6. There were some PDFs linked from that page, but they all read like T&C's, and I'm not convinced that I am the target audience for them.
I'm surprised that there doesn't seem to be anywhere that Apple spells out what it expects you to do to validate the token. The more complicated and ambiguous it is, the more chance that laods of insecure implementations are going to crop up across the cloud which can't be good for anyone.
johncp
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution