What is jwt audience

Overview

The audience (aud) claim in a JWT token is a security feature that specifies which service, application, or principal the token is intended for. This claim serves as a verification mechanism, ensuring that tokens are only accepted by their intended recipients. The audience validation is particularly important in distributed systems where multiple services accept JWT tokens, as it prevents token reuse across unauthorized contexts.

Audience Claim Structure

The audience claim appears in the JWT payload as the 'aud' key with a value that identifies the intended recipient. The value can be a single string, such as 'https://api.example.com' or 'mobile-app-client', or an array of strings representing multiple intended recipients. The audience identifier is typically unique and specific to each service or application. It should be chosen carefully to be distinctive and unambiguous, preventing confusion between similar services or accidentally granting access to the wrong recipient.

Audience Validation

When a service receives a JWT token, it should validate the audience claim by checking whether its own identifier appears in the token's 'aud' value. If the audience claim exists but doesn't match the service's identifier, the token should be rejected. This validation ensures that a token issued for Service A cannot be misused by Service B, even if Service B has the issuer's public key. Audience validation is especially critical in scenarios where multiple services share the same issuing authority or public key.

Use Cases and Scenarios

Audience validation is essential in multi-service architectures, APIs with multiple endpoints, single sign-on systems, and microservices environments. For example, a company might issue a single JWT token that's valid for multiple services, but each service should validate that the audience includes its identifier. In mobile applications, the audience might specify whether a token is intended for the Android app, iOS app, or web client. This granular control prevents token misuse if a token is compromised or leaked.

Best Practices

Always include an audience claim in JWT tokens unless there's a specific reason not to. Define audience values clearly and consistently across your organization. Each service should validate the audience claim on every token it receives. Use unique, descriptive identifiers that clearly indicate the intended recipient. When issuing tokens for multiple recipients, include all intended audience values in an array. Document your audience strategy to ensure developers implementing token validation understand and apply it correctly.