diff --git a/src/ripple/app/misc/impl/ValidatorKeys.cpp b/src/ripple/app/misc/impl/ValidatorKeys.cpp
index c658269f6ad..599d83c567b 100644
--- a/src/ripple/app/misc/impl/ValidatorKeys.cpp
+++ b/src/ripple/app/misc/impl/ValidatorKeys.cpp
@@ -24,6 +24,7 @@
 #include <ripple/basics/Log.h>
 #include <ripple/core/Config.h>
 #include <ripple/core/ConfigSections.h>
+#include <beast/core/detail/base64.hpp>
 
 namespace ripple {
 ValidatorKeys::ValidatorKeys(Config const& config, beast::Journal j)
@@ -42,9 +43,23 @@ ValidatorKeys::ValidatorKeys(Config const& config, beast::Journal j)
         if (auto const token = ValidatorToken::make_ValidatorToken(
                 config.section(SECTION_VALIDATOR_TOKEN).lines()))
         {
-            secretKey = token->validationSecret;
-            publicKey = derivePublicKey(KeyType::secp256k1, secretKey);
-            manifest = std::move(token->manifest);
+            auto const pk = derivePublicKey(
+                KeyType::secp256k1, token->validationSecret);
+            auto const m = Manifest::make_Manifest(
+                beast::detail::base64_decode(token->manifest));
+
+            if (! m || pk != m->signingKey)
+            {
+                configInvalid_ = true;
+                JLOG(j.fatal())
+                    << "Invalid token specified in [" SECTION_VALIDATOR_TOKEN "]";
+            }
+            else
+            {
+                secretKey = token->validationSecret;
+                publicKey = pk;
+                manifest = std::move(token->manifest);
+            }
         }
         else
         {
diff --git a/src/test/app/ValidatorKeys_test.cpp b/src/test/app/ValidatorKeys_test.cpp
index 7fb8d32bfdc..62c59dc2af9 100644
--- a/src/test/app/ValidatorKeys_test.cpp
+++ b/src/test/app/ValidatorKeys_test.cpp
@@ -57,6 +57,17 @@ class ValidatorKeys_test : public beast::unit_test::suite
         "gBD67kMaRFGvmpATHlGKJdvDFlWPYy5AqDedFv5TJa2w0i21eq3MYywLVJZnFOr7C0kw"
         "2AiTzSCjIzditQ8=";
 
+    // Manifest does not match private key
+    const std::vector<std::string> invalidTokenBlob = {
+        "eyJtYW5pZmVzdCI6IkpBQUFBQVZ4SWUyOVVBdzViZFJudHJ1elVkREk4aDNGV1JWZl\n",
+        "k3SXVIaUlKQUhJd3MxdzZzM01oQWtsa1VXQWR2RnFRVGRlSEpvS1pNY0hlS0RzOExo\n",
+        "b3d3bDlHOEdkVGNJbmFka1l3UkFJZ0h2Q01lQU1aSzlqQnV2aFhlaFRLRzVDQ3BBR1\n",
+        "k0bGtvZHRXYW84UGhzR3NDSUREVTA1d1c3bWNiMjlVNkMvTHBpZmgvakZPRGhFR21i\n",
+        "NWF6dTJMVHlqL1pjQkpBbitmNGhtQTQ0U0tYbGtTTUFqak1rSWRyR1Rxa21SNjBzVG\n",
+        "JaTjZOOUYwdk9UV3VYcUZ6eDFoSGIyL0RqWElVZXhDVGlITEcxTG9UdUp1eXdXbk55\n",
+        "RFE9PSIsInZhbGlkYXRpb25fc2VjcmV0X2tleSI6IjkyRDhCNDBGMzYwMTc5MTkwMU\n",
+        "MzQTUzMzI3NzBDMkUwMTA4MDI0NTZFOEM2QkI0NEQ0N0FFREQ0NzJGMDQ2RkYifQ==\n"};
+
 public:
     void
     run() override
@@ -141,6 +152,17 @@ class ValidatorKeys_test : public beast::unit_test::suite
             BEAST_EXPECT(k.manifest.empty());
         }
 
+        {
+            // Token manifest and private key must match
+            Config c;
+            c.section(SECTION_VALIDATOR_TOKEN).append(invalidTokenBlob);
+            ValidatorKeys k{c, j};
+
+            BEAST_EXPECT(k.configInvalid());
+            BEAST_EXPECT(k.publicKey.size() == 0);
+            BEAST_EXPECT(k.manifest.empty());
+        }
+
     }
 };  // namespace test