From 6cd467d773a9eb6750a8e049e5dae15be3c25f95 Mon Sep 17 00:00:00 2001
From: Mario Andrija Balug <37574078+mbalug7@users.noreply.github.com>
Date: Mon, 8 Jul 2024 08:03:30 +0200
Subject: [PATCH] docs: note audience scope for service user (#8252)

# Which Problems Are Solved
- It is not possible to introspect service user token if
`urn:zitadel:iam:org:project:id:{projectid}:aud` scope is not added in
token request.
- Adding this note to the document could reduce confusion and debugging
time
-
https://discord.com/channels/927474939156643850/1168857403945660436/1168930850029707386

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
---
 docs/docs/guides/integrate/service-users/client-credentials.md | 3 +++
 docs/docs/guides/integrate/service-users/private-key-jwt.md    | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/docs/docs/guides/integrate/service-users/client-credentials.md b/docs/docs/guides/integrate/service-users/client-credentials.md
index 438fec1ef1..a6ef909d24 100644
--- a/docs/docs/guides/integrate/service-users/client-credentials.md
+++ b/docs/docs/guides/integrate/service-users/client-credentials.md
@@ -49,6 +49,9 @@ curl --request POST \
 If you want to access ZITADEL APIs, make sure to include the required scopes `urn:zitadel:iam:org:project:id:zitadel:aud`.
 Read our guide [how to access ZITADEL APIs](../zitadel-apis/access-zitadel-apis) to learn more.
 
+**Important Note:** If the service user token needs to be validated using token introspection, ensure you include the `urn:zitadel:iam:org:project:id:{projectid}:aud` scope in your token request. 
+Without this, token introspection will fail.
+
 You should receive a successful response with `access_token`,  `token_type` and time to expiry in seconds as `expires_in`.
 
 ```bash
diff --git a/docs/docs/guides/integrate/service-users/private-key-jwt.md b/docs/docs/guides/integrate/service-users/private-key-jwt.md
index da1c6de432..3993831aff 100644
--- a/docs/docs/guides/integrate/service-users/private-key-jwt.md
+++ b/docs/docs/guides/integrate/service-users/private-key-jwt.md
@@ -163,6 +163,9 @@ curl --request POST \
 If you want to access ZITADEL APIs, make sure to include the required scopes `urn:zitadel:iam:org:project:id:zitadel:aud`.
 Read our guide [how to access ZITADEL APIs](../zitadel-apis/access-zitadel-apis) to learn more.
 
+**Important Note:** If the service user token needs to be validated using token introspection, ensure you include the `urn:zitadel:iam:org:project:id:{projectid}:aud` scope in your token request. 
+Without this, token introspection will fail.
+
 You should receive a successful response with `access_token`,  `token_type` and time to expiry in seconds as `expires_in`.
 
 ```bash