diff --git a/.env.template b/.env.template
index 328d3301..c2a4d8a2 100644
--- a/.env.template
+++ b/.env.template
@@ -55,6 +55,10 @@ SPEAKER_SERVICE_URL=http://${DOMAIN}:${SPEAKER_PORT}
 # JWT secret key - make this random and long
 AUTH_SECRET_KEY=your-super-secret-jwt-key-here-make-it-random-and-long
 
+# JWT-token issuer ACCEPTED_ISSUERS can be a comma-separated list of accepted issuers
+# defaults to 'chronicle,ushadow' if not set
+# ACCEPTED_ISSUERS=chronicle,ushadow
+
 # Admin account
 ADMIN_EMAIL=admin@example.com
 ADMIN_PASSWORD=secure-admin-password
diff --git a/backends/advanced/src/advanced_omi_backend/auth.py b/backends/advanced/src/advanced_omi_backend/auth.py
index 7c68d0b4..f1b7909a 100644
--- a/backends/advanced/src/advanced_omi_backend/auth.py
+++ b/backends/advanced/src/advanced_omi_backend/auth.py
@@ -50,6 +50,14 @@ def _verify_configured(var_name: str, *, optional: bool = False) -> Optional[str
 ADMIN_PASSWORD = _verify_configured("ADMIN_PASSWORD")
 ADMIN_EMAIL = _verify_configured("ADMIN_EMAIL", optional=True) or "admin@example.com"
 
+# Accepted token issuers - comma-separated list of services whose tokens we accept
+# Default: "chronicle,ushadow" (accept tokens from both chronicle and ushadow)
+ACCEPTED_ISSUERS = [
+    iss.strip() 
+    for iss in os.getenv("ACCEPTED_TOKEN_ISSUERS", "chronicle,ushadow").split(",") 
+    if iss.strip()
+]
+logger.info(f"Accepting tokens from issuers: {ACCEPTED_ISSUERS}")
 
 class UserManager(BaseUserManager[User, PydanticObjectId]):
     """User manager with minimal customization for fastapi-users."""
@@ -100,7 +108,8 @@ async def get_user_manager(user_db=Depends(get_user_db)):
 def get_jwt_strategy() -> JWTStrategy:
     """Get JWT strategy for token generation and validation."""
     return JWTStrategy(
-        secret=SECRET_KEY, lifetime_seconds=JWT_LIFETIME_SECONDS
+        secret=SECRET_KEY, lifetime_seconds=JWT_LIFETIME_SECONDS,
+        token_audience=["fastapi-users:auth"] + ACCEPTED_ISSUERS
     )