Problem
The auth server signs tokens with iss but no aud (audience) claim. See src/lib/token.ts — signAccessToken, signRefreshToken, and signEphemeralToken set .setIssuer(ISSUER) but never .setAudience(...). Verifiers (the @seamless-auth/express adapter) validate iss against the auth-server URL but cannot enforce an audience, so a token can't be scoped to its intended audience.
Goal
Issue tokens with a single, well-defined audience (e.g. seamless-auth) and have all verifiers enforce it. Note the internal service-token path already standardizes on aud: seamless-auth (src/middleware/authenticateServiceToken.ts), so we should align on one audience scheme for the auth server rather than introduce a second.
Scope (contract change — ripples to verifiers)
src/lib/token.ts: add .setAudience(<canonical aud>) to access/refresh/ephemeral signing.
@seamless-auth/express / @seamless-auth/core: pass audience to jwtVerify / createRemoteJWKSet verification so it's enforced.
- Coordinate the rollout: verifiers must accept the new
aud before (or at the same time as) the server starts emitting it, to avoid breaking live sessions.
Context
Surfaced while building the cross-SDK conformance harness (seamless verify). Future hardening item, not urgent.
Problem
The auth server signs tokens with
issbut noaud(audience) claim. Seesrc/lib/token.ts—signAccessToken,signRefreshToken, andsignEphemeralTokenset.setIssuer(ISSUER)but never.setAudience(...). Verifiers (the@seamless-auth/expressadapter) validateissagainst the auth-server URL but cannot enforce an audience, so a token can't be scoped to its intended audience.Goal
Issue tokens with a single, well-defined audience (e.g.
seamless-auth) and have all verifiers enforce it. Note the internal service-token path already standardizes onaud: seamless-auth(src/middleware/authenticateServiceToken.ts), so we should align on one audience scheme for the auth server rather than introduce a second.Scope (contract change — ripples to verifiers)
src/lib/token.ts: add.setAudience(<canonical aud>)to access/refresh/ephemeral signing.@seamless-auth/express/@seamless-auth/core: passaudiencetojwtVerify/createRemoteJWKSetverification so it's enforced.audbefore (or at the same time as) the server starts emitting it, to avoid breaking live sessions.Context
Surfaced while building the cross-SDK conformance harness (
seamless verify). Future hardening item, not urgent.