STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Programming Interface (API) Security Requirements Guide

V-274846

CAT II (Medium)

The API must audience-restrict assertions in accordance with organization-defined identification and authentication policy.

Rule ID

SV-274846r1143894_rule

STIG

Application Programming Interface (API) Security Requirements Guide

Version

V1R1

CCIs

CCI-005163, CCI-000366

Discussion

An API must audience-restrict assertions to ensure the information or access granted by a token is only usable by its intended recipient. Assertions like JWTs or SAML tokens often include an "audience" (aud) claim, which specifies the exact service or API that is authorized to consume the assertion. Without this restriction, a token could be intercepted and used by an unintended or malicious service, potentially leading to unauthorized access or data breaches. By enforcing audience restrictions, the API strengthens its security posture by ensuring assertions cannot be misused outside their intended context.

Check Content

Review the organization's identification and authentication policy to understand the specific audience restrictions defined, including which entities or systems are allowed to consume the assertions and how audience claims are handled.

Check the API's implementation to verify assertions include proper audience claims (e.g., aud in JWT tokens). The audience claim must specify which entity or service is permitted to use the assertion, in accordance with the organization's policy.

Simulate the use of assertions by different services or users to verify the API correctly enforces audience restrictions. The API must reject any assertion that is not intended for the current consumer or service, based on the audience claim.

Verify the audience values specified in the assertions align with the organization's policy. 

Check that the API logs events related to audience validation, including successful and failed attempts to access protected resources based on audience restrictions. These logs must be detailed enough to identify when audience-related validation occurs and whether access was granted or denied.

If the API relies on third-party identity providers (IdPs) or other systems for generating assertions, verify these systems correctly implement audience restriction policies. Test the integration between these systems and the API to verify that audience-restricted assertions are being correctly issued and consumed.

Review the API's documentation to confirm audience restrictions are implemented correctly, and ensure the API is fully compliant with the organization's defined audience control policies.

If the API does not audience restrict assertions in accordance with organization-defined identification and authentication policy, this is a finding.

Fix Text

Build or configure the API to audience-restrict assertions in accordance with organization-defined identification and authentication policy.