JOSE typ header values accepted for a bearer access token, compared
case-insensitively (RFC 7515 §4.1.9, which also lets an application/
media-type prefix be omitted). RFC 9068 §2.1 specifies at+jwt for JWT
access tokens, and §4.1 requires the resource server to reject a token
whose typ does not match the expected type, defeating type-confusion
attacks (e.g. an OIDC id_token signed with the same key replayed as an
access token). The default also accepts the bare JWT that many issuers
(including this SDK's own token signer) emit. A token whose typ is
absent or not listed here is rejected; set this empty to disable the
check for legacy issuers.
JOSE typ header values accepted for a bearer access token, compared case-insensitively (RFC 7515 §4.1.9, which also lets an application/ media-type prefix be omitted). RFC 9068 §2.1 specifies at+jwt for JWT access tokens, and §4.1 requires the resource server to reject a token whose typ does not match the expected type, defeating type-confusion attacks (e.g. an OIDC id_token signed with the same key replayed as an access token). The default also accepts the bare JWT that many issuers (including this SDK's own token signer) emit. A token whose typ is absent or not listed here is rejected; set this empty to disable the check for legacy issuers.