Audience
This section documents the configuration of audiences. Each audience defines a grouping boundary for clients and determines the aud claim in access tokens issued for clients in that audience.
See Audience for an overview of the concept.
audiences.<id>
| Key | Type | Description | Required Default |
|---|---|---|---|
<id> | string | Unique identifier of the audience. | YES |
invitation-enabled | boolean | Enable invitation-based registration for this audience. | NOfalse |
sign-up-enabled | boolean | Enable open registration for this audience. | NOtrue |
token-audience | string | Value used as the aud claim in access tokens issued for clients in this audience. | NO<id> |
audiences.<id>
The identifier is used to reference this audience from client, scope, and claim configurations.
audiences.<id>.invitation-enabled
When true, invitations can be created for this audience and redeemed during sign-up. This flag works in combination with sign-up-enabled to control registration behavior:
sign-up-enabled | invitation-enabled | Behavior |
|---|---|---|
true | false | Open registration (default) |
true | true | Open registration + invitations (invitations can pre-assign claims) |
false | false | No self-registration (Admin API only) |
false | true | Invitation-only sign-up |
audiences.<id>.sign-up-enabled
When true, any user can create an account during the interactive flow. When false, self-registration is disabled — accounts can only be created through the Admin API or, if invitation-enabled is true, through an invitation.
audiences.<id>.token-audience
When not set, the audience identifier is used as the aud claim value. Set this explicitly when the token audience must be a URL or a value different from the configuration identifier.
Example
audiences:
my-app:
token-audience: "https://api.my-app.com"
backoffice:
sign-up-enabled: false
invitation-enabled: true
# token-audience defaults to "backoffice"