TungWU

If you put `en-US` as the first item, it won't be matched. The problem is the library didn't consider the confidence level if it is not `Exact`. (`zh-CN` is `Low`...

I guess what we are actually confused is `standard attributes` vs `standard claims`?

@louischan-oursky Not sure if we should do it, what do you think?

Maybe it is not a good idea to allow localhost in production https://community.auth0.com/t/why-localhost-is-not-recommended-as-an-allowed-callback-or-origin-for-production/46668/11

I've checked how auth0 and google handled cors. Google has separated config for allowed origin:  And auth0 also has similar config: https://auth0.com/docs/get-started/applications/set-up-cors It seems what we should do is...

I think we mainly want the user to be able to set it in portal, so they can add allowed origins for the capacitor app.

https://github.com/authgear/authgear-sdk-android/blob/main/sdk/src/main/java/com/oursky/authgear/JWT.kt#L42 https://github.com/authgear/authgear-sdk-ios/blob/main/Sources/JWT.swift#L66 Maybe we should consider give a longer lifetime to the JWT. It is 1 minute now.