From 9ae46fd4da67af7852890181e7e2f21945349373 Mon Sep 17 00:00:00 2001
From: Elio Bischof <elio@zitadel.com>
Date: Mon, 22 May 2023 06:26:56 +0200
Subject: [PATCH] docs: add aud scope to private key token (#5891)

* docs: add aud scope to private key token

* docs: describe aud scope in private key jwt

* ensure zitadel scope is display correctly

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
---
 docs/docs/guides/integrate/private-key-jwt.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/docs/guides/integrate/private-key-jwt.md b/docs/docs/guides/integrate/private-key-jwt.md
index a02f48b376..227af7a8e7 100644
--- a/docs/docs/guides/integrate/private-key-jwt.md
+++ b/docs/docs/guides/integrate/private-key-jwt.md
@@ -15,7 +15,7 @@ This is a guide on how to create service users in ZITADEL. You can read more abo
 
 In ZITADEL we use the `urn:ietf:params:oauth:grant-type:jwt-bearer` (**“JWT bearer token with private key”**, [RFC7523](https://tools.ietf.org/html/rfc7523)) authorization grant for this non-interactive authentication.
 
-You need to follow these steps to authenticate a service user and receive a access token:
+You need to follow these steps to authenticate a service user and receive an access token:
 
 1. Generate a private-public key pair in ZITADEL
 2. Create a JSON Web Token (JWT) and sign with private key
@@ -25,7 +25,7 @@ With this token you can make subsequent requests, just like a human user.
 
 ## Get an access token
 
-In this step we will authenticate a service user and receive an access_token to use against a API.
+In this step we will authenticate a service user and receive an access_token to use against the API.
 
 > **Information:** Are you stuck? Don't hesitate to reach out to us on [Github Discussions](https://github.com/zitadel/zitadel/discussions) or [contact us](https://zitadel.com/contact/) privately.
 
@@ -96,6 +96,8 @@ curl --request POST \
   --data assertion=eyJ0eXAiOiJKV1QiL...
 ```
 
+If you want to access the ZITADEL API with this access token, you have to add `urn:zitadel:iam:org:project:id:zitadel:aud` to the list of scopes.
+
 * `grant_type` should be set to `urn:ietf:params:oauth:grant-type:jwt-bearer`
 * `scope` should contain any [Scopes](/apis/openidoauth/scopes) you want to include, but must include `openid`. For this example, please include `profile` and `email`
 * `assertion` is the encoded value of the JWT that was signed with your private key from the prior step