Module: StandardId::AudienceVerification

Extended by:

ActiveSupport::Concern

Defined in:

app/controllers/concerns/standard_id/audience_verification.rb

Overview

Per-controller audience verification for API endpoints.

While StandardId validates that the JWT ‘aud` claim is in the global `allowed_audiences` list, this concern provides additional defense-in-depth by restricting which audiences are accepted by each controller.

Requires StandardId::ApiAuthentication to be included before this concern (provides ‘verify_access_token!` and `current_session`). An error is raised at include time if ApiAuthentication is missing.

The caller is responsible for registering ‘before_action :verify_access_token!` (typically via ApiAuthentication or a base controller). This concern only adds the `verify_audience!` callback, which must run after token verification so that `current_session` is populated. This is consistent with how `require_scopes!` works in ApiAuthentication.

Examples:

Single audience

class AdminController < Api::BaseController
  include StandardId::AudienceVerification
  verify_audience "admin"
end

Multiple audiences

class SharedController < Api::BaseController
  include StandardId::AudienceVerification
  verify_audience "admin", "mobile"
end