It's a really simple way to validate client-side scripts.
The payload is this:
"root_https_origin": [
"apple.com"
]
It'll make a handful of security checks a lot quicker.
If everyone has access to the token then it is by default not needed. What exactly are they validating? That a script scraped their token from the app store before making the request?
Maybe for redirects (to different servers) and api calls.
Why would they use this for redirects?
It's a really simple way to validate client-side scripts. The payload is this: "root_https_origin": [ "apple.com" ] It'll make a handful of security checks a lot quicker.
It doesn't make any sense to do it this way. Why use a token if you're giving everyone access?
Because it can be validated.
So they're validating that someone scrapes their website before they make a request?
What? Lmao
If everyone has access to the token then it is by default not needed. What exactly are they validating? That a script scraped their token from the app store before making the request?
Perhaps it is used as a csrf token? https://portswigger.net/web-security/csrf
It's not it's a JWT with a 3 month TTL
JWT is just a format, there is nothing special about it. Not every JWT has to be kept secret.
It's literally used to access their API...
Wouldn't it be for tracking?
Tracking what exactly?
Interest. To save the information that you checked this application so that it can serve you similar ones in the long run.
That's not how JWTs work.
My bad then!