The iss (issuer) claim in a JWT identifies the principal that issued the token. When your server verifies a token, it should confirm iss matches the expected identity provider.
Why it matters
Without iss validation, a token signed by any IdP with a known public key could be accepted. An attacker could set up their own IdP, issue themselves an admin token, sign it, and present it to your server. If you only validated the signature (which is cryptographically valid for that IdP), your server would accept it.
iss validation is the check that says “I only trust tokens from this specific IdP.”
Example
{
"iss": "https://accounts.google.com",
"aud": "1234567890.apps.googleusercontent.com",
"sub": "user_123",
"exp": 1700000000
}Your server configures EXPECTED_ISSUER = "https://accounts.google.com" and rejects anything else.
Multi-IdP applications
If your app accepts tokens from multiple IdPs (e.g., Google for consumer sign-in, Okta for enterprise), maintain a map of iss → configuration, and choose the verification path based on the incoming token’s issuer.
Practical validation
const { payload } = await jwtVerify(token, JWKS, {
issuer: 'https://accounts.google.com',
audience: YOUR_CLIENT_ID,
})Both should be set. Skipping either one is a security hole.
See the full auth glossary for related terms.