ASVS Requirement 9.2.3

• Level: 2
• Chapter: V9 Self-contained Tokens
• Section: V9.2 Token content
• Source: 0x18-V9-Self-contained-Tokens.md

Description

Verify that the service only accepts tokens which are intended for use with that service (audience). For JWTs, this can be achieved by validating the 'aud' claim against an allowlist defined in the service.