An API must audience-restrict access tokens to ensure tokens can only be used by the intended recipient or service. Audience restriction involves embedding an "audience" claim in the token, which specifies the exact API or service authorized to accept it.
Without an API gateway to enforce this, the API itself must validate the audience claim to prevent tokens from being used maliciously by unauthorized services. This restriction helps protect the API from unauthorized access and ensures that tokens are not intercepted and misused in other parts of the system, enhancing overall security by limiting the scope of each token to its intended purpose.
Check
Review the API's token issuance process, specifically for access tokens (e.g., JWTs or OAuth2 tokens).
Inspect the aud (audience) claim in the access tokens to verify that it is present and correctly populated with the intended audience identifier(s).
Confirm that audience restrictions align with the organization's identification and authentication policy, ensuring that tokens are scoped only to authorized APIs, services, or clients.
Review access control and validation logic in the API or resource server to ensure that incoming tokens are validated against the expected audience value.
Interview the system owner or developer to verify how audience values are defined, issued, and enforced.
If access tokens are not audience-restricted or if the audience values do not comply with the organization-defined policy, this is a finding.
Fix
Build or configure the API to audience restrict access tokens in accordance with organization-defined identification and authentication policy.