Will token be valid if issued by another app?

If I have app A registered as SPA that created jwt token and this app sends this token to another SPA app B and app B sends token validation request to okta, will this token be valid?

From what I’ve tested it looks like it is considered valid.
Even when using a regular web app (using client_id + client_secret basic auth) and hitting the /introspect endpoint, you get a response saying the token is valid, even when the client_id is different.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.