JOSE typ header values accepted for a bearer access token, compared case-insensitively (RFC 7515 §4.1.9, which also lets an application/ media-type prefix be omitted). RFC 9068 §2.1 specifies at+jwt for JWT access tokens, and §4.1 requires the resource server to reject a token whose typ does not match the expected type, defeating type-confusion attacks (e.g. an OIDC id_token signed with the same key replayed as an access token). The default also accepts the bare JWT that many issuers (including this SDK's own token signer) emit. A token whose typ is absent or not listed here is rejected; set this empty to disable the check for legacy issuers.
The required audience (aud, the RFC 8707 resource). When set, a token that does not list it among its audiences is rejected.
Leeway applied to exp/nbf to tolerate clock skew.
The required token issuer (iss). When set, a token whose iss differs is rejected.
How long a fetched JWKS document is cached before being refetched.
The JWKS endpoint to fetch verification keys from (kid-selected). When empty, only staticPublicKeysPem are used.
Scopes the token must carry (from scope or scp). All must be present.
PEM-encoded public keys (-----BEGIN PUBLIC KEY-----) pinned directly, tried in order. An alternative to jwksUri for static deployments.
Configuration for jwtVerifier. Provide either a jwksUri (the verifier fetches and caches the issuer's JWKS, selecting the key by kid) or one or more staticPublicKeysPem (PEM SubjectPublicKeyInfo blobs pinned directly).