@benlabbe2007: So in this example, the token is generate with the api password
this_really_should_be_a_long_random_alphanumeric_value_but_this_still_works.
The following request is sent to the FusionAuth server and returns the signed JWT.
curl --location 'http://localhost:9011/api/login' \ --header 'Authorization: this_really_should_be_a_long_random_alphanumeric_value_but_this_still_works' \ --header 'Content-Type: application/json' \ --data-raw '{ "loginId": "customer@example.com", "password": "password", "applicationId": "e9fdb985-9173-4e01-9d73-ac2d60d1dc8e" }'That password is sensitive and you would not share that for a production environment.
In the example, you pass the token you received from the above call to the api server. The Microsoft.ASPNetCoreAuthentication.JweBearer validates the JWT by default. Since the JWT is signed, we can assume it has not been tampered with. It is possible to add custom validation criteria for special cases if needed.
The ValidAudiences UUID should not be considered sensitive as it is contained in the JWT and anyone with access to the JWT can see it.