diff --git a/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java b/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java
index f1132af221..8dbb01b176 100644
--- a/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java
@@ -50,27 +50,28 @@ public class AccessTokenIntrospectionProvider implements TokenIntrospectionProvi
         try {
             boolean valid = true;
 
-            RSATokenVerifier verifier = RSATokenVerifier.create(token)
-                    .realmUrl(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
+            AccessToken toIntrospect = null;
 
-            PublicKey publicKey = session.keys().getPublicKey(realm, verifier.getHeader().getKeyId());
-            if (publicKey == null) {
-                valid = false;
-            } else {
-                try {
+            try {
+                RSATokenVerifier verifier = RSATokenVerifier.create(token)
+                        .realmUrl(Urls.realmIssuer(session.getContext().getUri().getBaseUri(), realm.getName()));
+
+                PublicKey publicKey = session.keys().getPublicKey(realm, verifier.getHeader().getKeyId());
+                if (publicKey == null) {
+                    valid = false;
+                } else {
                     verifier.publicKey(publicKey);
                     verifier.verify();
-                } catch (VerificationException e) {
-                    valid = false;
+                    toIntrospect = verifier.getToken();
                 }
+            } catch (VerificationException e) {
+                valid = false;
             }
 
             RealmModel realm = this.session.getContext().getRealm();
             ObjectNode tokenMetadata;
 
-            AccessToken toIntrospect = verifier.getToken();
-
-            if (valid) {
+            if (valid && toIntrospect != null) {
                 valid = tokenManager.isTokenValid(session, realm, toIntrospect);
             }
 
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
index 85bd77fda2..cae907e7cc 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java
@@ -188,6 +188,24 @@ public class TokenIntrospectionTest extends TestRealmKeycloakTest {
         assertNull(rep.getSubject());
     }
 
+    @Test
+    public void testUnsupportedToken() throws Exception {
+        oauth.doLogin("test-user@localhost", "password");
+        String inactiveAccessToken = "unsupported";
+        String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", inactiveAccessToken);
+        ObjectMapper objectMapper = new ObjectMapper();
+        JsonNode jsonNode = objectMapper.readTree(tokenResponse);
+
+        assertFalse(jsonNode.get("active").asBoolean());
+
+        TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
+
+        assertFalse(rep.isActive());
+        assertNull(rep.getUserName());
+        assertNull(rep.getClientId());
+        assertNull(rep.getSubject());
+    }
+
     @Test
     public void testIntrospectAccessToken() throws Exception {
         oauth.doLogin("test-user@localhost", "password");