diff --git a/docker-compose.yaml b/docker-compose.yaml
index 867cadb8..551a4991 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -91,6 +91,9 @@ services:
       UPSTREAM_URL: ${UPSTREAM_URL:-http://stac:8001}
       OIDC_DISCOVERY_URL: ${OIDC_DISCOVERY_URL:-http://localhost:8888/.well-known/openid-configuration}
       OIDC_DISCOVERY_INTERNAL_URL: ${OIDC_DISCOVERY_INTERNAL_URL:-http://oidc:8888/.well-known/openid-configuration}
+      AUDIENCE: ${AUDIENCE}
+
+
     env_file:
       - path: .env
         required: false
diff --git a/docs/user-guide/configuration.md b/docs/user-guide/configuration.md
index 631dcbcc..ac738aaf 100644
--- a/docs/user-guide/configuration.md
+++ b/docs/user-guide/configuration.md
@@ -79,6 +79,14 @@ The application is configurable via environment variables.
     **Required:** No, defaults to the value of `OIDC_DISCOVERY_URL`  
     **Example:** `http://auth/.well-known/openid-configuration`
 
+### `AUDIENCE` 
+
+: The unique identifier of your API resource server
+
+    The AUDIENCE environment variable specifies the intended recipient of OAuth2 access tokens. This value represents the unique identifier of your API resource server and must match the `aud` (audience) claim present in incoming OAuth2 access tokens. If undefined the API will not impose a check on the `aud` claim
+
+OAuth2 Audience Claim
+
 ### `DEFAULT_PUBLIC`
 
 : Default access policy for endpoints
diff --git a/src/stac_auth_proxy/app.py b/src/stac_auth_proxy/app.py
index 90611a9f..a456ef2a 100644
--- a/src/stac_auth_proxy/app.py
+++ b/src/stac_auth_proxy/app.py
@@ -157,6 +157,7 @@ async def lifespan(app: FastAPI):
         private_endpoints=settings.private_endpoints,
         default_public=settings.default_public,
         oidc_discovery_url=settings.oidc_discovery_internal_url,
+        allowed_jwt_audiences=settings.audience,
     )
 
     if settings.root_path or settings.upstream_url.path != "/":
diff --git a/src/stac_auth_proxy/config.py b/src/stac_auth_proxy/config.py
index c1d8bedc..27496238 100644
--- a/src/stac_auth_proxy/config.py
+++ b/src/stac_auth_proxy/config.py
@@ -39,6 +39,7 @@ class Settings(BaseSettings):
     upstream_url: HttpUrl
     oidc_discovery_url: HttpUrl
     oidc_discovery_internal_url: HttpUrl
+    audience: Optional[str] = None
 
     root_path: str = ""
     override_host: bool = True
diff --git a/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py b/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py
index 7d7bc177..8f26b025 100644
--- a/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py
+++ b/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py
@@ -173,6 +173,7 @@ def validate_token(
                         detail="Not enough permissions",
                         headers={"WWW-Authenticate": f'Bearer scope="{scope}"'},
                     )
+
         return payload
 
     @property