The documentation (https://docs.spring.io/spring-security/reference/reactive/oauth2/resource-server/jwt.html#_runtime_expectations and https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#_runtime_expectations) doesn't mention it, but if the configuration has the spring.security.oauth2.resourceserver.jwt.audiences property set than the resource server will validate the aud claims as well.