Scopes tell the authorization server what kind of access was requested, but claims tell the consuming service what is true about the subject, the issuer, and the grant. Resource servers should evaluate claims such as issuer, audience, and expiration because those values determine whether the token can be trusted for that specific request.
Why This Matters for Security Teams
At token consumption time, the service receiving the token is the last practical control point before data is returned or an action is performed. That is why claims matter more than scopes there: scopes describe intent at issuance, but claims such as issuer, audience, subject, and expiration describe whether the token is valid for this exact request. A token with the right scope but the wrong audience is still dangerous, especially in distributed systems where tokens are copied, forwarded, or replayed.
This distinction is not theoretical. NHI Management Group research in the 2025 State of NHIs and Secrets in Cybersecurity found that 44% of NHI tokens are exposed in the wild, often in collaboration tools and code commits, which makes downstream validation essential. Recent incidents like the Salesloft OAuth token breach and the Internet Archive breach show how tokens become breach paths when services trust metadata too loosely. Current guidance from the OWASP Non-Human Identity Top 10 aligns with the same lesson: resource servers must verify what the token says about itself, not just whether it was once issued.
In practice, many security teams encounter token abuse only after an exposed credential is reused against a service that never checked the claims carefully enough.
How It Works in Practice
Scopes remain important, but they answer a different question. At issuance time, the authorisation server decides what access is being requested and may attach a scope like read:invoices or write:customer-profile. At consumption time, the API or workload must decide whether the presented token is trustworthy for this request. That decision depends on claims that can be validated locally or against policy, including iss, aud, exp, nbf, and sometimes tenant, jti, or actor context.
A practical validation flow usually looks like this:
- Verify the token signature against a trusted key set.
- Check the issuer is expected and the audience matches the receiving service.
- Confirm the token is unexpired and not used before its valid time.
- Apply local policy to claims that express tenant, workload, or delegation boundaries.
- Use scopes only after claim validation, as a coarse grant signal, not a trust signal.
This matters even more for workload identities and autonomous systems. If an agent or service can chain tools, call downstream APIs, or act on behalf of a user, then static RBAC or blanket scopes are too blunt. Best practice is evolving toward intent-based authorisation and short-lived credentials, where the service evaluates the token’s claims in the context of the current action. That is consistent with NHI guidance in the Guide to the Secret Sprawl Challenge and incident patterns seen in the JetBrains GitHub plugin token exposure, where access persisted beyond the point of intended use. The OWASP Non-Human Identity Top 10 also reinforces that secrets and tokens need lifecycle controls, not just issuance controls.
These controls tend to break down when services accept opaque bearer tokens from multiple issuers without enforcing audience separation or expiration strictly.
Common Variations and Edge Cases
Tighter claim validation often increases integration overhead, requiring organisations to balance stronger request-time trust decisions against legacy compatibility. That tradeoff is real, especially in mixed environments where some services understand JWT claims and others still rely on gateway-enforced policy or session cookies.
There is no universal standard for every edge case. Some platforms place more logic in an API gateway, while others validate claims inside each microservice. For high-risk environments, current guidance suggests validating claims as close as possible to the resource and combining that with ephemeral credentials, workload identity, and policy-as-code. The emerging pattern is especially important for agentic systems, where an autonomous agent can request one tool, pivot to another, and reuse a token in ways the original scope did not anticipate.
Two practical exceptions are worth calling out. First, some internal service-to-service tokens may carry minimal claims because identity is enforced through mTLS or workload identity frameworks, but the resource still needs enough signal to confirm issuer and audience. Second, delegated tokens may include actor or cnf-style proof-of-possession claims, which can improve assurance but require careful implementation. NIST AI Risk Management Framework guidance and CSA MAESTRO both support this move toward context-aware runtime decisions, rather than assuming that a broad scope is sufficient. In complex estates, the Dropbox Sign breach is a useful reminder that once tokens escape their intended boundary, only precise claim checks stop them from being reused elsewhere.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Token lifecycle and validation are central to NHI trust decisions. |
| OWASP Agentic AI Top 10 | AG-04 | Autonomous agents need runtime checks, not static permission assumptions. |
| NIST AI RMF | AI RMF supports governance for dynamic, context-aware decisioning. |
Evaluate agent requests at runtime against intent, context, and current token claims.
