Is there a way to restrict the audiences of a token to only the client ID?

Original message was deleted

Raccine•1/9/25, 3:54 PM

Hey @Yann! Thanks for reaching out - This doc should fit your use case! Let me know if it's insightful: https://zitadel.com/docs/guides/integrate/token-exchange#reduce-audience-and-scope-example

ZITADEL Docs

The Token Exchange grant implements RFC 8693, OAuth 2.0 Token Exchange and can be used to exchange tokens to a different scope, audience or subject. Changing the subject of an authenticated token is called impersonation or delegation. This guide will explain how token exchange is implemented inside ZITADEL and gives some usage examples.

fabienne•1/10/25, 3:19 PM

as far as i remember from the top of my head we always include the project id and the client ids of the app in the audience. Not 100% sure about the project id right now.

fabienne•1/10/25, 3:19 PM

this would mean you would always get at least the project id and the client id of your app, if you only have that client in the project

fabienne•1/10/25, 3:20 PM

but yes otherwise if you don't want to have to other clients in there, we suggest to split them into different projects.

fabienne•1/10/25, 3:20 PM

the reason why we do this, is that multiple clients can share the same role context, but in your case you might want to avoid that