In addition to CodeShepherds answer: The reverse proxy will validate the following properties of the token for all incoming https request: Is the signature of the token valid Is the token expired Is the session still on the whitelist (e.g. when you delete a session using the user & permissions dialog) It will not validate any scopes, that has to be done in your application. The reverse proxy will do this validation for all paths that are listed in the restricted array of the package-manifest, including all subpath.
... View more