diff --git a/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/authentication/XsuaaJwtDecoder.java b/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/authentication/XsuaaJwtDecoder.java
index 7854f41049..c3996bc21a 100644
--- a/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/authentication/XsuaaJwtDecoder.java
+++ b/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/authentication/XsuaaJwtDecoder.java
@@ -126,6 +126,8 @@ private Jwt verifyToken(JWT jwt) {
 		try {
 			String kid = tokenInfoExtractor.getKid(jwt);
 			String uaaDomain = tokenInfoExtractor.getUaaDomain(jwt);
+			validateJwksParameters(kid, uaaDomain);
+
 			return verifyToken(jwt.getParsedString(), kid, uaaDomain, getZid(jwt));
 		} catch (BadJwtException e) {
 			if (e.getMessage().contains("Couldn't retrieve remote JWK set")
@@ -168,7 +170,6 @@ private Jwt verifyToken(String token, String kid, String uaaDomain, String zid)
 		}
 
 		try {
-			canVerifyWithKey(kid, jku);
 			return verifyWithKey(token, jku, kid);
 		} catch (JwtValidationException ex) {
 			throw ex;
@@ -177,7 +178,7 @@ private Jwt verifyToken(String token, String kid, String uaaDomain, String zid)
 		}
 	}
 
-	private void canVerifyWithKey(String kid, String uaadomain) {
+	private void validateJwksParameters(String kid, String uaadomain) {
 		if (kid != null && uaadomain != null) {
 			return;
 		}