<div dir="auto"><div><br></div><div><div style="max-height:999999px;font-family:"google sans",roboto,arial,sans-serif;font-size:16px;line-height:24px;margin:16px 20px;color:rgb(230,232,240);background-color:rgb(16,18,24)" dir="auto">The audience (<code style="max-height:999999px;font-size:14px;line-height:22px;background-color:rgb(29,30,38);border-color:rgb(29,30,38);border-style:solid;border-width:0.571429px;border-radius:4px;padding:2px 4px">aud</code>) claim in OAuth 2.0 tokens is crucial for API security, defining the intended recipient of the token. The system receiving the token must validate the <code style="max-height:999999px;font-size:14px;line-height:22px;background-color:rgb(29,30,38);border-color:rgb(29,30,38);border-style:solid;border-width:0.571429px;border-radius:4px;padding:2px 4px">aud</code> claim against its own identifier to prevent token misuse and unauthorized access. If the <code style="max-height:999999px;font-size:14px;line-height:22px;background-color:rgb(29,30,38);border-color:rgb(29,30,38);border-style:solid;border-width:0.571429px;border-radius:4px;padding:2px 4px">aud</code> claim does not match the expected API identifier, the token should be rejected.<span style="max-height:999999px"><span style="max-height:999999px"> <button style="max-height:999999px;margin:0px 6px 0px 0px;background:none 0% 0%/auto repeat scroll padding-box border-box rgb(37,38,46);border-width:initial;border-style:none;border-color:initial;border-radius:10px;height:20px;padding:0px;width:20px;outline:0px"><span style="max-height:999999px;color:rgb(230,232,240);display:inline-block"></span></button></span></span></div><div style="max-height:999999px;color:rgb(230,232,240);font-family:"google sans",roboto,arial,sans-serif;font-size:small;background-color:rgb(16,18,24)" dir="auto"></div><hr style="max-height:999999px;border-width:0.571429px 0px 0px;border-top-style:solid;border-top-color:rgb(45,47,53);margin:32px 0px;height:1px;color:rgb(230,232,240);font-family:"google sans",roboto,arial,sans-serif;font-size:small;background-color:rgb(16,18,24)"><div style="max-height:999999px;color:rgb(230,232,240);font-family:"google sans",roboto,arial,sans-serif;font-size:small;background-color:rgb(16,18,24)" dir="auto"></div><div style="max-height:999999px;margin:30px 20px;color:rgb(230,232,240);font-family:"google sans",roboto,arial,sans-serif;font-size:20px;line-height:28px;background-color:rgb(16,18,24)" dir="auto">Best Practices for <code style="max-height:999999px;font-size:14px;line-height:22px;background-color:rgb(29,30,38);border-color:rgb(29,30,38);border-style:solid;border-width:0.571429px;border-radius:4px;padding:2px 4px">aud</code> validation</div><ul style="max-height:999999px;margin:16px 20px;padding:0px;font-family:"google sans",roboto,arial,sans-serif;font-size:16px;line-height:24px;color:rgb(230,232,240);background-color:rgb(16,18,24)"><li style="max-height:999999px;margin:0px 0px 16px;padding:0px;list-style:disc"><span style="max-height:999999px">Always validate the <code style="max-height:999999px;font-size:14px;line-height:22px;background-color:rgb(29,30,38);border-color:rgb(29,30,38);border-style:solid;border-width:0.571429px;border-radius:4px;padding:2px 4px">aud</code> claim in your API.</span></li><li style="max-height:999999px;margin:0px 0px 16px;padding:0px;list-style:disc"><span style="max-height:999999px">Ensure the audience matches the API's identifier.</span></li><li style="max-height:999999px;margin:0px 0px 16px;padding:0px;list-style:disc"><span style="max-height:999999px">Reject tokens with unexpected or missing <code style="max-height:999999px;font-size:14px;line-height:22px;background-color:rgb(29,30,38);border-color:rgb(29,30,38);border-style:solid;border-width:0.571429px;border-radius:4px;padding:2px 4px">aud</code> claims.</span><span style="max-height:999999px"><span style="max-height:999999px"> </span></span></li></ul></div><div data-smartmail="gmail_signature">Shannon Day</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Tue, Sep 16, 2025, 12:41 PM github--- via Openid-specs-risc <<a href="mailto:openid-specs-risc@lists.openid.net">openid-specs-risc@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div>

openid/sharedsignals event <br>

<br>

Issue Comment created on issue 230 <br>

Issue Title: Confusion about the origin of the 'aud' value in the stream configuration

<br>

<a href="https://github.com/openid/sharedsignals/issues/230" target="_blank" rel="noreferrer">https://github.com/openid/sharedsignals/issues/230</a> <br>

<br>

Comment: I have now seen three possibilities for defining the `aud` value in implementations. We should decide which of these is the "correct" way to do things so that Transmitters and Receivers can all build with the same expectations. 1. ReceiverCompany says,

 _"My aud value is <a href="http://www.receivercompany.com" target="_blank" rel="noreferrer">www.receivercompany.com</a>"._ They set up an agreement with TransmitterCompany so that any streams set up between the two companies use "<a href="http://www.receivercompany.com" target="_blank" rel="noreferrer">www.receivercompany.com</a>" as the aud value. The auth provided during stream creation allows the Transmitter

 to check that the Receiver is coming from ReceiverCompany and it is safe to send that aud value. 2. ReceiverCompany says, _"My aud value is <a href="http://www.receivercompany.com" target="_blank" rel="noreferrer">www.receivercompany.com</a>"_. TransmitterCompany offers a UI that allows an admin to create a stream with any company.

 In the UI, the admin is asked to plug in the aud value. For streams that the admin creates with ReceiverCompany, they plug in "<a href="http://www.receivercompany.com" target="_blank" rel="noreferrer">www.receivercompany.com</a>" as the aud value. The auth provided during stream creation allows the Transmitter to check that the Receiver

 is coming from ReceiverCompany and it is safe to send that aud value. 3. When TransmitterCompany creates a stream, they generate a unique aud value for the stream without regard for what company runs the Receiver. The auth provided during stream creation ensures

 that this is safe and uniquely identifies a Receiver.

</div>

_______________________________________________<br>

Openid-specs-risc mailing list<br>

<a href="mailto:Openid-specs-risc@lists.openid.net" target="_blank" rel="noreferrer">Openid-specs-risc@lists.openid.net</a><br>

<a href="https://lists.openid.net/mailman/listinfo/openid-specs-risc" rel="noreferrer noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-risc</a><br>

</blockquote></div>