How to configure expected audience for JWT token validation

I’m using Tyk Gateway + Tyk Operator in a Kubernetes cluster. I have ApiDefinition and SecurityPolicy configured to validate JWT token (Auth0) for my API. All works well.

As our IdP may issue valid JWT tokens for different audiences, I want to ensure that when validating requests to /foo, the JWT token contains an aud claim with the value foo-audience. And if requests are sent to /bar, then the JWT token must contain an aud claim bar-audience.

I couldn’t find a setting that allows me to tell Tyk what audience value to check for when validating the JWT token. Is there a way to do so?

I found this topic) that suggests that Tyk does perform some sort of aud validation.

Hi @al43k2l, I think you could use our JWT scope to policy mapping feature

The new syntax of writing it is shown below. The old syntax still works for backward comparability.

"scopes": {
      "jwt": {
        "scope_claim_name": "aud",
        "scope_to_policy": {
          "bar-audience": "bar-audience-policy-id",
          "foo-audience": "foo-audience-policy-id"
      "oidc": {}

In your policy, you can then set the allowed_urls to restrict access based on the policy

"access_rights": {
        "sample-service": {
            "api_name": "Sample service API",
            "api_id": "sample-service",
            "versions": [
            "allowed_urls": [
                    "url": "/foo",
                    "methods": [
                    "url": "/another-subpath-example",
                    "methods": [
            ], ...

Hope this helps.

Thanks a lot @Olu for the suggestion!