STANDARD

Resource Indicators (RFC 8707) — Primer

Resource Indicators (RFC 8707) adds the resource parameter so the AS can mint a token with the correct audience for that API.

Visual representation of Resource Indicators (RFC 8707) standard

← All standards

Why it matters

Standards reduce risk and vendor lock‑in. We implement this spec across our Studios and runtime so policy is portable.

Where it’s enforced

Gateway: pre‑execution gating (plan/schema pins, params/egress)
Shield: inline budgets/stream caps/content checks
PDP: decisions with constraints/obligations/TTL
IdP: passports, token exchange, consent/DPoP

How it works (high level)

RFC 8707 defines the resource parameter to indicate the target RS. Values MUST be absolute URIs without fragments. AS issues a token suitable for that resource (often reflected in aud).

x-www-form-urlencoded
grant_type=client_credentials&
scope=admin.api&
resource=https://idp.example.com/api/admin

mermaid
sequenceDiagram
  participant Client
  participant AS as Authorization Server
  participant Admin as Admin API
  Client->>AS: /token (resource=https://.../api/admin)
  AS-->>Client: access_token (aud matches resource)
  Client->>Admin: Authorization: Bearer &lt;access_token&gt;

Multiple resource values may be sent; the AS selects what it supports. If both vendor audience and resource are sent, follow your AS precedence (RFC recommends resource).

References

RFC 8707: Resource Indicators

← Token Exchange (RFC 8693)

All standards

DPoP (RFC 9449) →