Claims to verify in an auth flow in backend

Original message was deleted

FFO•9/10/24, 8:39 AM

Main claims that you need to verify is the ISS and the AUD (besides the signature ;-))

YYoav Lavi Although in our case since it's self hosted there's only going to ever be one in...

FFO•9/10/24, 9:35 AM

The issuer is the most important piece besides the signature.

Since it allows you to verify the "correct" system sent the token.

I meant main, beacuse in some cases you also want to verify authorizations or to which org a user belongs to.

FFO•9/10/24, 9:36 AM

haha, I see

FFO•9/10/24, 9:37 AM

Yeah well my wording was not optimal

FFO•9/10/24, 12:53 PM

In zitadel a single "instance" (which can have many domains) share the same keys.