Issuer URL for MS Teams bot framework

Question

Issuer URL for MS Teams bot framework

S, Carol 0

I'm migrating our Kyma APIRule configuration from v1beta1 to v2, and v2 requires an explicit issuer URL that must exactly match the iss claim inside the access tokens issued by the Bot Framework.

Could you please confirm the exact issuer URL (including trailing slash, if required) that Bot Framework uses in the access tokens for requests sent to my bot?

Been following this document: https://learn.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-connector-authentication?view=azure-bot-service-4.0&tabs=multitenant#connector-to-bot.
But my issuer is "issuer": "https://api.botframework.com"
but when I decode my JWT its

"iss": "https://sts.windows.net/d6d49420-f39b-4df7-a1dc-d59a935871db/"

This is required because Kyma APIRule v2 returns: “Jwt issuer is not configured” when the configured issuer does not exactly match the token’s iss claim.

Can you please provide the correct issuer value and the corresponding JWKS URL?

Thank you!

1 answer

Your answer

Answer 1

Kudos-Ng 10,385 Microsoft External Staff Moderator

Hi S, Carol,

Thank you for posting your question in the Microsoft Q&A forum.

After reviewing your description and the linked documentation, I’d like to provide the following information:

The iss claim in Bot Framework access tokens is issued by Azure Active Directory, not by https://api.botframework.com. The correct issuer value is: https://sts.windows.net/<tenant-id>/

This matches what you observed in your decoded JWT. The https://api.botframework.com value corresponds to the audience (aud claim), not the issuer.

For JWKS (public keys) to validate the token signature, use: https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keysor, for multi-tenant scenarios: https://login.microsoftonline.com/common/discovery/v2.0/keys

Ensure your Kyma APIRule v2 configuration uses the exact issuer value from the token, including the trailing slash, to avoid the “Jwt issuer is not configured” error.

Hope this information helpful.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

S, Carol 0 Reputation points

2025-11-17T14:14:32.32+00:00

Thanks for the reply, Ours is the Ms teams chatbot with Azure bot framework.
so our usecase is Authenticate requests from the Bot Connector service to your bot right?
Attaching the link: https://learn.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-connector-authentication?view=azure-bot-service-4.0&tabs=singletenant#connector-to-bot

Under Authenticate requests from the Bot Connector service to your bot it says issuer is "issuer": "https://api.botframework.com"
Kudos-Ng 10,385 Reputation points Microsoft External Staff Moderator

2025-11-17T14:30:39.4133333+00:00
Hi S, Carol,

Thanks for sharing the details.

There are actually two different authentication scenarios in the Bot Framework ecosystem, and the issuer depends on which one you’re implementing:

1) Bot Connector → Bot (Service-to-Service Authentication)

This is the scenario described in the documentation you linked.

When the Bot Connector service sends requests to your bot (e.g., delivering messages from Teams), the token’s issuer is: https://api.botframework.com

The JWKS for validating these tokens is: https://login.botframework.com/v1/.well-known/keys

These tokens are signed by the Bot Connector service, not Azure AD.

2) User Authentication / Proactive Messaging (Azure AD Tokens)

If your bot is validating user identity (e.g., Teams SSO or proactive messages), the token comes from Azure AD.

In this case: iss = https://sts.windows.net/<tenant-id>/

JWKS URL: https://login.microsoftonline.com/<tenant-id>/discovery/keys

For Kyma APIRule v2, you need to configure the issuer that matches the token type you expect:

If you’re validating Bot Connector requests, use https://api.botframework.com.

If you’re validating user tokens, use the Azure AD issuer.

Hope this help clarify your concern.
Sayali-MSFT 4,341 Reputation points Microsoft External Staff Moderator

2025-11-18T07:03:09.2066667+00:00

Hi S, Carol, Could you please confirm if your issue has resolved with provided suggestions or still looking for any help?
S, Carol 0 Reputation points

2025-11-19T04:15:18.36+00:00

HI @Kudos-Ng , Thank you for the reply,
I tried with https://sts.windows.net/<tenant-id>/ as the issuer, and I'm getting invalid AppID, the error is inconsistent and sometimes i get error around correlation id too.

In the screenshot attached the body contains random values, but even with valid appID I'm facing the same issue.
Kudos-Ng 10,385 Reputation points Microsoft External Staff Moderator

2025-11-19T10:29:59.9733333+00:00
Hi S, Carol,

Thanks for sharing the additional details.

From the screenshot, it looks like you’re using an HTTP client (similar to Postman) to send a request to your bot’s /api/messages endpoint. That endpoint is normally where the Bot Connector service posts activities (e.g., when a user sends a message in Teams).

To better understand the scenario and why you’re seeing Invalid AppID, could you clarify:

Are you testing your bot’s message endpoint manually for debugging purposes?

Or are you trying to send a proactive message from your bot to a user/channel?

Or is this part of a Kyma APIRule v2 integration workflow where you’re validating tokens?

This context will help determine whether the issue is related to the token type, issuer configuration, or the way the request is being authenticated.
Kudos-Ng 10,385 Reputation points Microsoft External Staff Moderator

2025-11-20T09:29:01.9833333+00:00

Hi S, Carol,

Just checking in to see if you had a chance to review the previous response.

Your feedback would be very helpful in ensuring everything is on track.
S, Carol 0 Reputation points

2025-11-20T13:03:53.8433333+00:00

HI @Kudos-Ng
Yes, We are migrating from kyma API rule from V1 to V2, while testing /messages endpoint is not working. So for testing bot’s message endpoint manually for debugging purposes I'm trying via Bruno.

Is there anywhere else we need to white list the Issuer URL? As I am not able to view logs for /message endpoint, even in azure portal only this logs I am able to see.
Kudos-Ng 10,385 Reputation points Microsoft External Staff Moderator

2025-11-21T08:29:34.9433333+00:00
Hi S, Carol,

Thank you for sharing the updated context.

After reviewing the document you provided and the Kyma migration guide here: https://github.com/kyma-project/api-gateway/blob/main/docs/user/apirule-migration/01-83-migrate-jwt-v1beta1-to-v2.md, I understand that Kyma APIRule requires migration to v2, and in this version an explicit issuer must be configured. To validate tokens from the Bot Connector service to your bot’s /api/messages endpoint, you are currently testing manually.

Here are some important points I’d like to share:

About JWT tokens from Bot Connector service: These tokens are issued and signed by Microsoft’s Bot Connector service. Microsoft does not provide any official method to manually simulate these tokens for testing the /api/messages endpoint. The documentation only explains how to validate JWT tokens, not how to mint them for manual testing.

To confirm the correct issuer and JWKS URI: You can retrieve them from the OpenID configuration endpoint: GET https://login.botframework.com/v1/.well-known/openidconfiguration This will give you the exact issuer and jwks_uri values required for Kyma APIRule v2 configuration.

Why you don’t see logs in Azure: If Kyma APIRule rejects the request due to issuer mismatch, the request never reaches your bot’s message endpoint, so no logs appear in Azure Bot Service.

Recommended way to test after configuration: Once you update the issuer and JWKS URI in Kyma APIRule, test by sending a message to your bot from the Microsoft Teams client. This ensures the Bot Connector service calls your /api/messages endpoint with a valid token, allowing you to verify that authentication and routing work correctly.

I hope this helps clarify the authentication flow and gives you a clear path to validate your setup.
S, Carol 0 Reputation points

2025-11-21T10:52:47.1133333+00:00

Hi @Kudos-Ng
Thanks for the reply and for the information you provided.

We always test by sending a message to the bot from the Microsoft Teams client. Since we did not have any logs, we also tried calling the endpoint manually. When we were on the V1 API rule, we were retrieving the issuer and jwks_uri values from the OpenID configuration endpoint: GET https://login.botframework.com/v1/.well-known/openidconfiguration At that time, we never faced this validation issue.

We also reached out to the Kyma API Gateway team, and they confirmed that everything looks fine on their side and that no additional whitelisting is required.

Since we are getting blocked at the gateway layer while validating the issuer, is there any Azure-supported approach to configure noAuth so that we can skip the gateway-level issuer validation and instead perform token validation entirely at the application layer?
Kudos-Ng 10,385 Reputation points Microsoft External Staff Moderator

2025-11-21T12:49:28.1666667+00:00

Hi S, Carol,

Thank you for clarifying.

It seems you have already followed the correct approach by using: GET https://login.botframework.com/v1/.well-known/openidconfiguration

to configure the issuer and jwks_uri in your Kyma APIRule v2, but it still doesn’t work. You also confirmed with the Kyma API Gateway team that there are no issues on their side, so exploring an Azure-supported approach to skip gateway-level issuer validation makes sense.

I looked into this and found that Kyma supports a noAuth access strategy, which you can configure for your /api/messages endpoint. This will allow the gateway to pass requests without JWT validation, and you can then implement token validation entirely at the application layer using the Bot Framework SDK.

Here’s the Kyma documentation for reference: https://kyma-project.io/external-content/api-gateway/docs/user/custom-resources/apirule/04-15-api-rule-access-strategies.html#configuration-of-the-noauth-access-strategy
Note: Microsoft is providing this information as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link.

You can consider applying this for your message endpoint and then implement token validation at the endpoint itself.
S, Carol 0 Reputation points

2025-11-24T05:49:50.7766667+00:00

Hi @Kudos-Ng
I have tried noAuth as well, given in the documentation. I am facing the same issue,

Looks like azure does not support noAuth, Can you please confirm if it is possible, if yes, is there any documentations around this?
Kudos-Ng 10,385 Reputation points Microsoft External Staff Moderator

2025-11-24T13:29:21.68+00:00
Hi S, Carol,

Thank you for following up and sharing more details.

Regarding your question “Looks like Azure does not support noAuth”, I’d like to clarify:

The previous suggestion about noAuth refers to Kyma APIRule gateway configuration.

Azure Bot Service itself does not provide a “No Auth” option because JWT validation is the minimum security mechanism for API communication. There is no way to disable authentication on Azure’s side.

I reviewed Kyma documentation and found this tutorial: https://kyma-project.io/external-content/api-gateway/docs/user/tutorials/01-40-expose-workload-noauth.html
Note: Microsoft is providing this information as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link.

Since you are migrating to APIRule v2, Kyma’s docs highlight an important requirement:

Please verify that Istio sidecar injection is enabled for your bot workload. Without this, APIRule v2 (including noAuth) may not function correctly, and the gateway will block traffic before it reaches your bot’s /api/messages endpoint.
Kudos-Ng 10,385 Reputation points Microsoft External Staff Moderator

2025-11-25T14:06:44.03+00:00

Hi S, Carol,

Just checking in to see if you had a chance to review the previous response.

Your feedback would be very helpful in ensuring everything is on track.
S, Carol 0 Reputation points

2025-11-26T08:03:01.7233333+00:00
Hi @Kudos-Ng
I have tried all the approaches you mentioned, but unfortunately none of them worked. I have also verified that all the prerequisites are met, and our cluster does have sidecar injection enabled.

I understand that Azure Bot Service does not offer a “noAuth” option and that JWT validation is the minimum required security mechanism for API communication. However, could you please confirm whether Azure Bot Service allows noAuth at the gateway layer?

Additionally, our application exposes four endpoints, and the /api/health endpoint, which also uses JWT authentication, is working correctly. This indicates that the authentication scheme itself is not the issue. Our current assumption is that the problem may be related to the issuer configuration on the Microsoft side rather than the setup within our cluster.

healthRule: methods: | ["GET"] jwks: trustedIssuers: https://integration.api.[Moderator note: personal info removed].com url: https://www-integration.api.[Moderator note: personal info removed].com/oauth2/v0/jwks messagesRule: methods: | ["POST"] jwks: trustedIssuers: https://api.botframework.com url: https://login.botframework.com/v1/.well-known/keys

If not, is there an alternative approach we should consider? We are currently blocked, so any guidance you can provide would be greatly appreciated.
Kudos-Ng 10,385 Reputation points Microsoft External Staff Moderator

2025-11-27T09:00:01.6666667+00:00

Hi S, Carol,

Please note that our forum is a public platform, and we will modify your question to hide your personal information in the description. Kindly ensure that you hide any personal or organizational information the next time you post an error or other details to protect personal data.

At this point, I regret to inform you that I don’t have any additional insights to share on this matter. I’ve conducted further research; however, due to limitations in simulating the environment and the absence of official documentation, I haven’t been able to uncover new findings.

That said, I would recommend exploring discussions on platforms such as GitHub or Microsoft Tech Community, where seasoned technical experts often share valuable perspectives. These forums can provide alternative viewpoints and practical experiences that may help address your concerns.

Best regards,
S, Carol 0 Reputation points

2025-12-01T07:10:06.4366667+00:00

HI @Kudos-Ng
I think I have made some progress, Upon debugging, I have figured out that the access token I am receiving to validate /messages endpoint is generated differently and not from this endpoint mentioned in the documentation.

Could you please provide the endpoint that generates the access token to validate /messages endpoint for Authenticating requests from the Bot Connector service to my bot?

Thank you.
Kudos-Ng 10,385 Reputation points Microsoft External Staff Moderator

2025-12-01T09:33:06.48+00:00
Hi S, Carol,

Thank you for coming back and sharing more details.

Based on what I’ve researched, here’s what I can clarify:

There is no public endpoint for developers to generate the token used by the Bot Connector service when calling your bot’s /api/messages endpoint. These tokens are issued internally by the Bot Connector service when it sends activities to your bot. This is why the documentation only provides the OpenID configuration URL: GET https://login.botframework.com/v1/.well-known/openidconfiguration for validation purposes, not for token generation.

Any token you generate via: POST https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token is for outbound calls (from your bot to Bot Connector service), not for inbound requests from the Bot Connector service to your bot’s /api/messages endpoint.

If you are looking for an alternative way to test and debug your authentication gateway, you can consider using Bot Framework Emulator.

Note: While the Emulator uses the same authentication technologies described in the documentation, it cannot impersonate the real Bot Connector service. Instead, it uses the Microsoft App ID and Microsoft App Password you provide when connecting the Emulator to your bot to create tokens that mimic those your bot would generate.

I hope this information helps clarify your question.
S, Carol 0 Reputation points

2025-12-04T04:49:22.6233333+00:00

Hi @Kudos-Ng
Can you please confirm if the token generated by the bot connector to authenticate the bot has "sub" claim, as the product kyma uses for authorization in APIRule v2 requires it.
Kudos-Ng 10,385 Reputation points Microsoft External Staff Moderator

2025-12-04T12:41:01.56+00:00
Hi S, Carol,

Thank you for asking this follow-up question.

I’ve looked into it, and unfortunately, I couldn’t find any official documentation that explicitly guarantees the presence of the sub claim in Bot Framework authentication tokens.

As far as I know:

The sub (subject) claim is part of the standard JWT specification and is commonly included in tokens issued by identity providers.

However, the sub claim is standard for user-centric tokens (e.g., Azure AD ID tokens or OAuth flows).

Bot Connector tokens are service-to-service tokens. They are designed to authenticate the channel, not a user, so sub is typically not included.

To confirm this in your environment:

Capture a request from the Bot Connector service when it POSTs to your /api/messages endpoint.

Extract the Authorization header (Bearer JWT token).

Decode the token and check if the sub claim is present.

If sub is missing, this is by design.

Share via

Issuer URL for MS Teams bot framework

1 answer

Your answer