Post by @emmy

@emmy@transfem.social

I read my timeline chronologically. But usually on my alt account. Pronouns explanation: Try to use my name instead. If you feel that's too repetitive (especially subjective and possessive), you can shorten it to em. I'm trans, but surprisingly I don't feel either "Binary" or "Non-Binary" describes me. But also my gender is static so I'm not gender fluid either. I'm religious (Muslim) but I don't have a problem with non-religious people (if you don't understand why I'm mentioning this, it's not directed at you). I'm married to a cis woman (R) and we have two kids (F and Y). I have an alt account at: @emmy@mastodon.catgirl.cloud #nobot

transfem.social

إمي ❄️🏳️‍⚧️🇵🇸

@emmy@transfem.social

transfem.social

@emmy@transfem.social · Mar 16, 2026

How should I disambiguate JWTs from different sources?

I can't use the key ID (kid) from the JWT header, because it's perfectly fine for the same issuer to use the same key for two environments (not that they should, but they technically could).

I could use the issuer (iss) from the JWT claims payload (before verification, ew, but I have no choice). But the problem is that I don't know the issuer until I fetch the Open ID configuration. I prefer not to depend on an external resource on this code path (which gets called for every request).

Maybe I can use the client ID? This is configuration in our own application, not an external one. Looking at some JWTs, there's the "client_id" field in JWT claims payload. I don't think that's standard though.

Conversation (2)