diff --git a/src/pocketmine/network/mcpe/VerifyLoginTask.php b/src/pocketmine/network/mcpe/VerifyLoginTask.php
index 49bf12d4a..e71bec8c5 100644
--- a/src/pocketmine/network/mcpe/VerifyLoginTask.php
+++ b/src/pocketmine/network/mcpe/VerifyLoginTask.php
@@ -59,11 +59,13 @@ class VerifyLoginTask extends AsyncTask{
 		$packet = $this->packet; //Get it in a local variable to make sure it stays unserialized
 
 		$currentKey = null;
+		$first = true;
 
 		foreach($packet->chainData["chain"] as $jwt){
-			if(!$this->validateToken($jwt, $currentKey)){
+			if(!$this->validateToken($jwt, $currentKey, $first)){
 				return;
 			}
+			$first = false;
 		}
 
 		if(!$this->validateToken($packet->clientDataJwt, $currentKey)){
@@ -73,12 +75,17 @@ class VerifyLoginTask extends AsyncTask{
 		$this->valid = true;
 	}
 
-	private function validateToken(string $jwt, ?string &$currentPublicKey) : bool{
+	private function validateToken(string $jwt, ?string &$currentPublicKey, bool $first = false) : bool{
 		[$headB64, $payloadB64, $sigB64] = explode('.', $jwt);
 
 		$headers = json_decode(base64_decode(strtr($headB64, '-_', '+/'), true), true);
 
-		if($currentPublicKey === null){ //First link, check that it is self-signed
+		if($currentPublicKey === null){
+			if(!$first){
+				return false; //we should have a key but the last link didn't have one
+			}
+
+			//First link, check that it is self-signed
 			$currentPublicKey = $headers["x5u"];
 		}
 
@@ -125,7 +132,7 @@ class VerifyLoginTask extends AsyncTask{
 			return false; //token has expired
 		}
 
-		$currentPublicKey = $claims["identityPublicKey"]; //the next link should be signed with this
+		$currentPublicKey = $claims["identityPublicKey"] ?? null; //if there are further links, the next link should be signed with this
 
 		return true;
 	}