aud (Audience) Claim
The aud (audience) claim identifies the recipients for which the JWT is intended. It can be a string or array of strings, such as an API identifier or resource server URL. Verifiers must reject tokens whose aud does not include their own audience value. This prevents access tokens issued for one API from being presented to another service that happens to share the same issuer. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail.
Why It Matters
aud is critical in microservice architectures and OAuth 2.0, where a single authorization server issues tokens for many resource servers. Skipping audience validation is a common source of lateral movement after token theft. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses. Review this during every auth-related change, including framework upgrades, CDN additions, and new mobile or third-party clients.
Code Example
{
"iss": "https://auth.example.com",
"aud": "https://api.example.com",
"sub": "user_42"
}Related Terms
Related Tools
Related Articles
Frequently Asked Questions
Can aud be an array?
Yes. RFC 7519 allows a string or array of strings. Verifiers check whether their audience appears in the list. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.
What should I use as aud?
A stable API identifier, often a URI or logical name registered for your resource server. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.
Is aud the same as OAuth client ID?
Related but not identical. In OAuth, azp or client_id may also matter depending on your authorization model. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.