Hi monday team,
I’m debugging a monday-code live installation issue and wanted to confirm expected behavior for the signed JWT aud field.
For a new user installing the live app, the authenticated request context contains this public base URL derived from aud:
https://ee78c-service-14856766-dfa...
But the expected live app URL is:
https://live1-service-14856766-dfa...
Example log:
[userId=103522...] Authenticated monday request context: { accountId: 14856..., userId: 103522..., hasBackToUrl: true, hasShortLivedToken: true, publicBaseUrl: 'https://ee78c-service-14856766-dfa...' }
We use the JWT aud value to build OAuth redirect URIs and Google Calendar webhook URLs. If aud can contain a transient/internal service URL instead of the canonical live URL, those redirects/webhooks may be registered against the wrong host.
Is it expected that aud may point to a non-live monday-code service URL for live installations? Or should live app requests always include the canonical live URL in aud?
If this is expected behavior, what is the recommended way to reliably determine the canonical public live URL for OAuth redirects and external webhooks?
Thanks.