saleor · Droniu · Mar 20, 2025 · Mar 20, 2025 · Mar 21, 2025 · Mar 21, 2025
diff --git a/docs/api-usage/authentication.mdx b/docs/api-usage/authentication.mdx
@@ -484,7 +484,13 @@ sequenceDiagram
 
 ### Setup
 
-To use this flow, you need to configure the OIDC plugin providing values for **JSON Web Key Set URL** and **User info URL**.
+To use this flow, you need to configure the [OIDC plugin](../developer/app-store/plugins/oidc) providing values for **JSON Web Key Set URL**, **User info URL**.
+If you use OAuth permissions, you will also need to provide **Audience** value.
+:::info
+Audience claim is a string that identifies the intended recipient of the token. It is used to prevent token misuse across different services. When a service receives a JWT with an audience value that does not match the expected value, the token is rejected.
+
+Your Identity Provider (IdP) might provide a fixed audience value (typically the Client ID) or allow you to set a custom value. If configurable, a good practice is to set it to the public URL of the API or resource the token is intended for.
+:::
 
 Once you obtain the access token, include it in the HTTP `authorization` header when making requests to the API:
 

diff --git a/docs/developer/app-store/plugins/oidc.mdx b/docs/developer/app-store/plugins/oidc.mdx
@@ -22,7 +22,7 @@ Go to Configuration -> Plugins -> OpenID Connect and fill in the fields:
   keys used to verify any JSON Web Token (JWT) issued by the authorization server (Required for both integration flows).
 - **User info URL:** The URL which can be used to fetch user details by using an access token (Required for flow: _Saleor as a resource server_).
 - **OAuth logout URL:** The logout URL which Saleor will return for frontend's logout request (Optional for flow: _Saleor as a client for authorization server_).
-- **Audience:** The Oauth resource identifier. If provided, Saleor will define the audience for each authorization request. Used to fetch user permissions from OAuth provider and map it to Saleor's permission (Optional for both integration flows).
+- **Audience:** The Oauth resource identifier. If provided, Saleor will define the audience for each authorization request. Used to fetch user permissions from OAuth provider and map it to Saleor's permission (Optional for both flows, but required if you use OAuth permissions).
 - **Use OAuth scope permissions:** Use OAuth scope permissions to grant a logged-in user access to protected resources. Your OAuth provider needs to have defined Saleor's permission scopes in format \_saleor:&lt;saleor-permission&gt; (Required for both integration flows).
 - **Staff user domains:** The domains of the user emails, separated by commas, that should be treated as staff users.
 - **Default permission group name for new staff users:** The name of the default permission group to which the new staff user should be assigned to.