Access token issuer and unisolated domains

Based on this question I am curious as to how the issuer is determined when generating the tokens. Is it based on the domain that generates the token (e.g. https://myapp- sandbox in the linked question, or the mapped Tenant coming from the client_id ( https://myapp- stage in the linked question)?

Is it sufficient to just verify the signature of the token based on the endpoint of the intended tenant (client_id mapped tenant)? Or would I still have to check the issuer in the token?

Also, I’d like to add this would help me understand how to handle the situation with custom/multiple domains on a single tenant.

Hi @ ggjersund and welcome to the community :wave:

That question only applies to the client credentials flow, which is unique in that it is issuing a token based only on the client_id and client_secret. Therefore, it does not need for the client_id to be for the associated domain. However, for all other flows the client_id will have to be one mapped to the tenant.

For validating the token you should really just use a middleware that will handle the details for you. However, if you want to manually check them you’ll need to do more than just check the signature, as explained here:

Multiple custom domains are not currently possible, but should be possible in the future.

Hopefully that was all clear. Please let me know if you have any questions about that.