Skip to main content
Software Engineering

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

5
  • Oh I see. It was a misunderstanding on my part because I thought two things: 1. You had to have both "iss" and "aud" as part of the claims. 2. They had to be unique to each other. This obviously is not the truth. So, if you have an application such as mine, would you even include those two claims in your jwt or leave them out since they would be identical? Commented Sep 5, 2017 at 2:01
  • You could certainly leave them out and add them later when you have a reason to use it Commented Sep 5, 2017 at 2:03
  • would aud sometimes be a third party or not? Commented May 5, 2020 at 18:07
  • I guess I'm also confused why scopes wouldn't be used for indicating that the user is approved for a given application. Commented May 5, 2020 at 18:08
  • 1
    Yes, aud can be a single value or an array. It's supposed to match on each intended recipient or processor. Let's say you're a user (or application) that wants to call api.example.com to run a query. If api.example.com trusts some third party auth service (e.g. Auth0) to handle authentication, then that auth service should populate aud with 'api.example.com', and the app at 'api.example.com' should verify that's the case. Scopes are more granular than audience, and can be included in the payload as well. Commented May 6, 2020 at 3:48