Good Question.
What issue are you facing? Provide little more error details..
Check with the system which generated the nested JWT - https://datatracker.ietf.org/doc/html/draft-ietf-oauth-json-web-token#appendix-A.2 (this is very common use case  with nested jwt's in open banking- not exactly though ) & check the process of validation outside the apigee layer to understand  signing/encryption process.
Once you get the concept it will be easy to follow thru & implement in apigee. It's about chaining with in the apigee layer validating outer JWT & reading the values of innner jwt & passing it to next verification with proper alg/enc values..

Can you drop outer/inner JWT into https://jwt.io/ or https://dinochiesa.github.io/jwt/ & validate/review claims ( you may not see if it is encrypted unless you provide pvt key.
 
 

The support I described there for encrypted JWT is available in OPDK, Edge as well as X & hybrid.

But, please note - it applies to Encrypted JWT, which are a particular kind of JWE.

If the distinction is not clear to you, then you'll want to double-check what you have inside the signed JWT.

I'll try to summarize the difference here.

There is a "family" of IETF specifications called JSON Object Signing and Encryption, under the acronym "JOSE".

JOSE includes these specs:

The "JSON" in the name does not imply that the signing or encrypting can be done only on JSON objects. Instead, it implies that the JSON is used to encode the signature. For example you could use JWS to sign a JSON, or a PDF, or a .PNG, or even an XML document. The result is "wrapped in" a JSON wrapper that encodes the signed thing (maybe the XML document) as well as a JSON header that describes how the signature was computed, and the signature bytestream itself. Similarly you can use JWE to encrypt anything, any document or bytestream. One option is to encrypt a JSON payload. The result of that operation we would call an encrypted JWT. Whether using signing or encryption, only if the signed or encrypted payload itself is a JSON object, can we call the result a JWT.

So you see, Apigee has builtin support for "encrypted JWT", which is to say, for JWT that are encrypted according to the JWE spec. Another way to say it is, Apigee has support for JWE, only if the encrypted thing is a JSON object. But Apigee does not have builtin support for JWE in general. For that you need to use the external callout, which as I have said, is limited in that it supports only RSA-based crypto algorithms.

I hope this is all clear.

You gave me the algorithms that are used on the inner thing - which you have called a JWE. And you've also called it a token.

Yes we do have same inner token is JWE

The algorithms you cited are valid algorithms for the JWE, according to RFC 7516. But I'm still not clear on whether the encrypted thing is a JSON or not. If it is a JSON payload, then Apigee supports it. If it is not a JSON payload, then Apigee does not have support for that thing.

I cannot tell, from the information you've given here, what that JWE is. Is it an encrypted JWT, or a general JWE? You need to find out.

Just use the policy. You need to specify in the VerifyJWT configuration, at a minimum,

• the key encryption algorithm
• the private key.
• the source (variable containing eJWT)

Something like this 

<VerifyJWT name=“VJWT-1”>
  <Algorithms>
    <Key>ECDH-ES+A256KW</Key>
  </Algorithms>
  <PrivateKey>
    <Value ref=“private.private-key-PEM”/>
  </PrivateKey>
  <Source>variable-containing-encrypted-jwt</Source>
  …

check the documentation for more details. 

Thank you it worked . Delayed in replying .Thank you for the help .

I appreciate the confirmation, thank you!

Thanks