Yes, you can require an OAuth2 client to request a specific audience (

aud

) by configuring the allowed audiences in the OAuth2 client settings. When creating or updating an OAuth2 client, you can specify the

audience

parameter as a list of URLs that the client is allowed to request. During OAuth2 flows like Authorization Code Grant, the client can then request audiences at the

/oauth2/auth

endpoint using the

audience

query parameter. The requested audience is validated against the allowed audiences defined in the client configuration. If the requested audience is not in the allow list, the request will be rejected. Here’s an example of how to set allowed audiences in the client configuration:

json {   "client_id": "...",   // ..   "audience": ["<https://api.my-cloud.com/user>", "<https://some-tenant.my-cloud.com/>"],   // .. }

And an example of requesting an audience during the authorization flow:

https://$<http://PROJECT_SLUG.projects.oryapis.com/oauth2/auth|PROJECT_SLUG.projects.oryapis.com/oauth2/auth>   ?client_id=...   &scope=...   &audience=<https://api.my-cloud.com/user+https://some-tenant.my-cloud.com/>

The audience values are validated against the client’s allowed audiences, and only those present in the allow list will be accepted. This mechanism effectively forces the client to request only permitted audiences. You can also control the granted audience during consent handling by setting

grant_access_token_audience

in the consent acceptance payload [OAuth2 token audience](https://www.ory.sh/docs/hydra/guides/audiences). If you need to enforce that a client always requests a specific audience, you must ensure that only the desired audience(s) are present in the client’s allow list, and handle consent accordingly. The knowledge sources do not mention a way to make the

audience

parameter strictly required for every request, but restricting the allow list achieves a similar effect.