diff --git a/biscuit-auth/src/token/unverified.rs b/biscuit-auth/src/token/unverified.rs
index 75f3edfc..0cf8c501 100644
--- a/biscuit-auth/src/token/unverified.rs
+++ b/biscuit-auth/src/token/unverified.rs
@@ -10,7 +10,7 @@ use crate::{
     error,
     format::{convert::proto_block_to_token_block, schema, SerializedBiscuit},
     token::{ThirdPartyBlockContents, ThirdPartyRequest},
-    KeyPair,
+    KeyPair, RootKeyProvider,
 };
 use prost::Message;
 
@@ -19,7 +19,7 @@ use prost::Message;
 /// Use this if you want to attenuate or print the content of a token
 /// without verifying it.
 ///
-/// It can be converted to a [Biscuit] using [UnverifiedBiscuit::check_signature],
+/// It can be converted to a [Biscuit] using [UnverifiedBiscuit::verify],
 /// and then used for authorization
 #[derive(Clone, Debug)]
 pub struct UnverifiedBiscuit {
@@ -47,13 +47,22 @@ impl UnverifiedBiscuit {
         Self::from_base64_with_symbols(slice, default_symbol_table())
     }
 
+    #[deprecated(since = "4.1.0", note = "please use `verify` instead")]
     /// checks the signature of the token and convert it to a [Biscuit] for authorization
     pub fn check_signature<F>(self, f: F) -> Result<Biscuit, error::Format>
     where
         F: Fn(Option<u32>) -> PublicKey,
     {
-        let root = f(self.container.root_key_id);
-        self.container.verify(&root)?;
+        self.verify(|kid| Ok(f(kid)))
+    }
+
+    /// checks the signature of the token and convert it to a [Biscuit] for authorization
+    pub fn verify<KP>(self, key_provider: KP) -> Result<Biscuit, error::Format>
+    where
+        KP: RootKeyProvider,
+    {
+        let key = key_provider.choose(self.root_key_id())?;
+        self.container.verify(&key)?;
 
         Ok(Biscuit {
             root_key_id: self.container.root_key_id,