From fe27173fa757a018b47690f17791372b84c3cf39 Mon Sep 17 00:00:00 2001
From: Elar Lang <47597707+elarlang@users.noreply.github.com>
Date: Mon, 16 Sep 2024 18:04:00 +0300
Subject: [PATCH] no cross-usage for tokens

---
 5.0/en/0x12-V3-Session-management.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/5.0/en/0x12-V3-Session-management.md b/5.0/en/0x12-V3-Session-management.md
index 6357ff8237..7ef42c57f5 100644
--- a/5.0/en/0x12-V3-Session-management.md
+++ b/5.0/en/0x12-V3-Session-management.md
@@ -68,6 +68,7 @@ Token-based session management includes JWT, OAuth, SAML, and API keys. Of these
 | **3.5.5** | [ADDED] Verify that only signing algorithms on an allowlist are allowed for a stateless token. | ✓ | ✓ | ✓ | 757 | |
 | **3.5.6** | [ADDED] Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience. | ✓ | ✓ | ✓ | 287 | |
 | **3.5.7** | [ADDED] Verify that all active stateless tokens, which are being relied upon for access control decisions, are revoked when admins change the entitlements or roles of the user. | ✓ | ✓ | ✓ | 613 | |
+| **3.5.8** | [ADDED] Verify that tokens (such as ID tokens, access tokens and refresh tokens) can only be used for their intended purpose. For example, ID tokens can only be used to prove user authentication for the client. | ✓ | ✓ | ✓ | | |
 
 ## V3.6 Federated Re-authentication