Protecting Node.js APIs: Audiences, Scopes, and Bearer Tokens

Most APIs leak in the same handful of ways: missing audience checks, scope rules scattered across handlers, JWT validation that drifts out of date, tokens issued for one service quietly accepted by an