re: I am a Developer Advocate for Security in Mobile Apps and APIs, Ask Me Anything VIEW POST

TOP OF THREAD FULL DISCUSSION
re: An absolute thank you for all those information, I have now more information about differenciation between the what and the who. I was only checkin...

You got it the other way around...

The who represent the user, your JWT token and the what represents the mechanism used to make the request, aka was the request made by your web app without have been tampered, was the request made by Postman or by Curl, etc..

So until now you have been checking the who, aka the JWT token that represents the user authentication,

code of conduct - report abuse