Yes, both Ory Oathkeeper and Ory Hydra can enforce the audience (

aud

) claim, but the enforcement mechanisms and configuration differ: Oathkeeper: Oathkeeper's

jwt

authenticator allows you to specify a

target_audience

configuration. If set, Oathkeeper will validate that the JWT contains all values (exact, case-sensitive) in the

aud

claim. If the audience does not match, the token is considered invalid and the request will be denied. This is explicitly shown in the documentation and configuration examples:

json {   "handler": "jwt",   "config": {     "target_audience": ["<https://my-service.com/api/users>", "<https://my-service.com/api/devices>"]   } }

A JWT missing the required audience or with a mismatched audience will be rejected by Oathkeeper [Oathkeeper JWT Authenticator](https://www.ory.sh/docs/oathkeeper/pipeline/authn#jwt-validation-example). Hydra: Hydra enforces the audience in several ways, depending on the flow: - For OAuth2 access tokens, the audience is set and validated during the consent process. The audience must be included in the

grant_access_token_audience

when accepting the consent request, and it is validated against the allowed audiences for the client [Hydra Audience Guide](https://www.ory.sh/docs/hydra/guides/audiences). - In the Client Credentials Grant, the

audience

parameter in the token request is decoded and validated according to the client's configuration [Hydra Client Credentials Audience](https://www.ory.sh/docs/hydra/guides/audiences#audiences-in-client-credentials-grant). - For JWT Bearer client authentication, the

aud

claim in the JWT must match the token endpoint URL of the authorization server. Hydra will reject the request if the audience does not match the expected value [Hydra JWT Client Auth](https://www.ory.sh/docs/hydra/guides/jwt#jwts-for-client-authentication). Summary: - Oathkeeper enforces the

aud

claim if

target_audience

is configured. - Hydra enforces the

aud

claim according to the OAuth2 flow and client configuration. If you do not configure audience enforcement in Oathkeeper, it will not be checked. In Hydra, audience validation is part of the OAuth2 and OIDC specification compliance and is enforced as described above.