Question: Prevent a token generated on System A to be used on System B

[IAmWebSA]

Hello,

I wanted to know or even better see an example how to prevent a token generated on System A to be used on System B, if they use the same secret key.

What would be the best secure solution?

1. Reject the token if it comes from another "issuer" system
2. Create a dynamic Secret for each system and therefore the token would fail to be decoded.

From my feeling Solution 2 would be the more robust and secure one.

Do you agree or any other thoughts?

Many Thanks in advance

[tuupola]

I would use different secret for each system ie solution 2 .