ASVS Requirement 10.3.1

• Level: 2
• Chapter: V10 OAuth and OIDC
• Section: V10.3 OAuth Resource Server
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that the resource server only accepts access tokens that are intended for use with that service (audience). The audience may be included in a structured access token (such as the 'aud' claim in JWT), or it can be checked using the token introspection endpoint.