diff --git a/eventmesh-security-plugin/eventmesh-security-auth-token/src/main/java/org/apache/eventmesh/auth/token/impl/auth/AuthTokenUtils.java b/eventmesh-security-plugin/eventmesh-security-auth-token/src/main/java/org/apache/eventmesh/auth/token/impl/auth/AuthTokenUtils.java
index 41ceca5490..16005649f4 100644
--- a/eventmesh-security-plugin/eventmesh-security-auth-token/src/main/java/org/apache/eventmesh/auth/token/impl/auth/AuthTokenUtils.java
+++ b/eventmesh-security-plugin/eventmesh-security-auth-token/src/main/java/org/apache/eventmesh/auth/token/impl/auth/AuthTokenUtils.java
@@ -33,6 +33,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.X509EncodedKeySpec;
+import java.util.Objects;
 import java.util.Set;
 
 import io.jsonwebtoken.Claims;
@@ -51,41 +52,8 @@ public static void authTokenByPublicKey(AclProperties aclProperties) {
                 throw new AclException("group:" + aclProperties.getExtendedField("group ") + " has no auth to access the topic:"
                     + aclProperties.getTopic());
             }
-            String publicKeyUrl = null;
-            token = token.replace("Bearer ", "");
-            for (String key : ConfigurationContextUtil.KEYS) {
-                CommonConfiguration commonConfiguration = ConfigurationContextUtil.get(key);
-                if (commonConfiguration == null) {
-                    continue;
-                }
-                if (StringUtils.isBlank(commonConfiguration.getEventMeshSecurityPublickey())) {
-                    throw new AclException("publicKeyUrl cannot be null");
-                }
-                publicKeyUrl = commonConfiguration.getEventMeshSecurityPublickey();
-            }
-            byte[] validationKeyBytes = new byte[0];
-            try {
-                validationKeyBytes = Files.readAllBytes(Paths.get(publicKeyUrl));
-                X509EncodedKeySpec spec = new X509EncodedKeySpec(validationKeyBytes);
-                KeyFactory kf = KeyFactory.getInstance("RSA");
-                Key validationKey = kf.generatePublic(spec);
-                JwtParser signedParser = Jwts.parserBuilder().setSigningKey(validationKey).build();
-                Jwt<?, Claims> signJwt = signedParser.parseClaimsJws(token);
-                String sub = signJwt.getBody().get("sub", String.class);
-                if (!sub.contains(aclProperties.getExtendedField("group").toString()) && !sub.contains("pulsar-admin")) {
-                    throw new AclException("group:" + aclProperties.getExtendedField("group ") + " has no auth to access eventMesh:"
-                        + aclProperties.getTopic());
-                }
-            } catch (IOException e) {
-                throw new AclException("public key read error!", e);
-            } catch (NoSuchAlgorithmException e) {
-                throw new AclException("no such RSA algorithm!", e);
-            } catch (InvalidKeySpecException e) {
-                throw new AclException("invalid public key spec!", e);
-            } catch (JwtException e) {
-                throw new AclException("invalid token!", e);
-            }
-
+            String publicKeyUrl = getPublicKeyUrl();
+            validateToken(token, publicKeyUrl, aclProperties);
         } else {
             throw new AclException("invalid token!");
         }
@@ -94,40 +62,7 @@ public static void authTokenByPublicKey(AclProperties aclProperties) {
     public static void helloTaskAuthTokenByPublicKey(AclProperties aclProperties) {
         String token = aclProperties.getToken();
         if (StringUtils.isNotBlank(token)) {
-            String publicKeyUrl = null;
-            token = token.replace("Bearer ", "");
-            for (String key : ConfigurationContextUtil.KEYS) {
-                CommonConfiguration commonConfiguration = ConfigurationContextUtil.get(key);
-                if (commonConfiguration == null) {
-                    continue;
-                }
-                if (StringUtils.isBlank(commonConfiguration.getEventMeshSecurityPublickey())) {
-                    throw new AclException("publicKeyUrl cannot be null");
-                }
-                publicKeyUrl = commonConfiguration.getEventMeshSecurityPublickey();
-            }
-            byte[] validationKeyBytes = new byte[0];
-            try {
-                validationKeyBytes = Files.readAllBytes(Paths.get(publicKeyUrl));
-                X509EncodedKeySpec spec = new X509EncodedKeySpec(validationKeyBytes);
-                KeyFactory kf = KeyFactory.getInstance("RSA");
-                Key validationKey = kf.generatePublic(spec);
-                JwtParser signedParser = Jwts.parserBuilder().setSigningKey(validationKey).build();
-                Jwt<?, Claims> signJwt = signedParser.parseClaimsJws(token);
-                String sub = signJwt.getBody().get("sub", String.class);
-                if (!sub.contains(aclProperties.getExtendedField("group").toString()) && !sub.contains("pulsar-admin")) {
-                    throw new AclException("group:" + aclProperties.getExtendedField("group ") + " has no auth to access eventMesh:"
-                        + aclProperties.getTopic());
-                }
-            } catch (IOException e) {
-                throw new AclException("public key read error!", e);
-            } catch (NoSuchAlgorithmException e) {
-                throw new AclException("no such RSA algorithm!", e);
-            } catch (InvalidKeySpecException e) {
-                throw new AclException("invalid public key spec!", e);
-            } catch (JwtException e) {
-                throw new AclException("invalid token!", e);
-            }
+            validateToken(token, getPublicKeyUrl(), aclProperties);
         } else {
             throw new AclException("invalid token!");
         }
@@ -148,4 +83,45 @@ public static boolean authAccess(AclProperties aclProperties) {
         return groupTopics.contains(topic);
     }
 
+    private static String getPublicKeyUrl() {
+        String publicKeyUrl = null;
+        for (String key : ConfigurationContextUtil.KEYS) {
+            CommonConfiguration commonConfiguration = ConfigurationContextUtil.get(key);
+            if (null == commonConfiguration) {
+                continue;
+            }
+            if (StringUtils.isBlank(commonConfiguration.getEventMeshSecurityPublickey())) {
+                throw new AclException("publicKeyUrl cannot be null");
+            }
+            publicKeyUrl = commonConfiguration.getEventMeshSecurityPublickey();
+        }
+        return publicKeyUrl;
+    }
+
+    private static void validateToken(String token, String publicKeyUrl, AclProperties aclProperties) {
+        String sub;
+        token = token.replace("Bearer ", "");
+        byte[] validationKeyBytes;
+        try {
+            validationKeyBytes = Files.readAllBytes(Paths.get(Objects.requireNonNull(publicKeyUrl)));
+            X509EncodedKeySpec spec = new X509EncodedKeySpec(validationKeyBytes);
+            KeyFactory kf = KeyFactory.getInstance("RSA");
+            Key validationKey = kf.generatePublic(spec);
+            JwtParser signedParser = Jwts.parserBuilder().setSigningKey(validationKey).build();
+            Jwt<?, Claims> signJwt = signedParser.parseClaimsJws(token);
+            sub = signJwt.getBody().get("sub", String.class);
+            if (!sub.contains(aclProperties.getExtendedField("group").toString()) && !sub.contains("pulsar-admin")) {
+                throw new AclException("group:" + aclProperties.getExtendedField("group ") + " has no auth to access eventMesh:"
+                    + aclProperties.getTopic());
+            }
+        } catch (IOException e) {
+            throw new AclException("public key read error!", e);
+        } catch (NoSuchAlgorithmException e) {
+            throw new AclException("no such RSA algorithm!", e);
+        } catch (InvalidKeySpecException e) {
+            throw new AclException("invalid public key spec!", e);
+        } catch (JwtException e) {
+            throw new AclException("invalid token!", e);
+        }
+    }
 }