@Matias.Monday the JWT contains an “aud” element. This is the full URL to which monday sent the original request. When we receive a token, we can look at our headers and determine to what URL the request was sent (or if someone is daring enough to hard code it into their code…)
Doing so, jwt.verify also checks that the token was sent by monday to the URL in question. I use it in my auth stage, as just a tiny bit of extra checking. Obviously an issue if you use redirects.
Now just if the expiration timestamp in the jwt wasnt several minutes after the one in the shortLivedToken which is when the API server starts rejecting the token. So I have to also verify the slt to get the real expiration time, so I can reject the request if the slt is too close to becoming invalid to complete execution of the scenario.