I've setting up a hello world LTI 1.3 ,and I've got it working to the point that I'm getting back what appears to be a valid 

id_token

I can take this id_token, and paste it into https://jwt.io/ and I can see expected results.

What I can't figure out is what jwt.io is doing to decode/decrypt this id-token.   The docs say
https://canvas.instructure.com/doc/api/file.lti_dev_key_config.html

• The request will include an id_token which is a signed JWT containing the LTI payload (user identifiers, course contextual data, custom data, etc.). Tools must validate the request is actually coming from Canvas using Canvas' public JWKs.

But the linked docs don't say "How" to perform this verification.    

What is the workflow for decoding and validating the id_token once we've gotten it?