The aud (audience) claim in a JWT identifies the intended recipient of the token. When your server verifies a token, it should confirm aud matches its own identifier — usually the OAuth client ID.
Why it matters
Without aud validation, a token issued for one service could be replayed against another. If Service A and Service B share the same IdP and the IdP signs all their tokens with the same key, B might accept an A-token as valid — unless B checks aud.
Example
An OIDC ID token for your client:
{
"iss": "https://accounts.google.com",
"aud": "1234567890.apps.googleusercontent.com",
"sub": "user_123",
"exp": 1700000000
}Your server verifies the signature, then:
assert payload.aud === YOUR_CLIENT_IDIf it doesn’t match, the token was issued for someone else. Reject.
Multiple audiences
aud can be a string or an array of strings. If an array, your ID must be in the array. Most tokens use a single string.
When a library does it for you
jose, passport-openidconnect, and similar libraries validate aud if you configure the expected audience. Always configure it — never accept a default.
See the full auth glossary for related terms.