We are recommending stricter JWT ACL list authentication requirements for all applications.
- New Requirement: Client-side JWTs must include properly configured Access Control Lists (ACLs) that specify only the API paths your application actually uses
- Security Recommendation: This follows the principle of least privilege, limiting access to only required resources
- Performance Benefit: Reduced token scope improves authentication speed and security
Applies To
- In-App Voice (Conversations)
- Verify Silent Auth
- Video (Unified environment only)
How to recognize if I’m using Vonage Video API Unified Environment or Vonage Video API OpenTok environment?
Cause
Your JWT tokens are using overly broad access permissions ("/**/applications/***": {}) that could allow unauthorized access to your applications.
Action Required
Please update your JWT ACL to use specific, limited permissions instead of wildcard patterns.
For example:
- Remove "/**/applications/***": {}
- In ACL list use only the paths that are needed to perform operation
Next Steps
- Review your current JWT configuration
- Update ACL permissions to be more restrictive
- Test the changes in your development environment first
Overly permissive tokens are allowed to access your accounts in intended ways.
Additional Information
- Authentication documentation
- JWT Generator Tools
- Use jwt.io to validate your token structure
- Best-Security-Practices-for-Your-Vonage-API-Account
Articles in this section
- Deprecation of Query Parameter API Authentication (Action Required: Migration to Header-Based Authentication)
- Action Required: Update Your JWT TTL Configuration for Enhanced Security
- Action Required: Update Your JWT ACL and Claim Configuration for Enhanced Security
- Action Required: Update Your JWT Configuration for Enhanced Security