attacker could use leaked token to call APIs – invoice.api can call customer.api (or vice versa) { "typ": "JWT", "alg": "RS256" "kid": "1" } { "iss": "https://my_issuer", "exp": "1340819380", "aud": [ "invoice.api", "customer.api" ] "client_id": "client1", } Header Payload JWT