ALB will validate the token signature and requires two mandatory claims: 'iss' (issuer) and 'exp' (expiration). Additionally, if present in the token, ALB will also validate 'nbf' (not before) and 'iat' (issued at time) claims. You can configure up to 10 additional claims for validation.

These claims support three formats:
🔹 Single-string: A single text value
🔹 Space-separated values: Multiple values separated by spaces (maximum 10 values)
🔹 String-array: An array of text values (maximum 10 values)

If the token is valid, the load balancer forwards the request with token as is to the target. Otherwise, it rejects the request.

Security policies with PQ in their names offer hybrid post-quantum key exchange. For compatibility, they support both classical and post-quantum ML-KEM key exchange algorithms. Clients must support the ML-KEM key exchange to use hybrid post-quantum TLS for key exchange. The hybrid post-quantum policies support SecP256r1MLKEM768, SecP384r1MLKEM1024 and X25519MLKEM768 algorithms.