diff --git a/backends/advanced/src/advanced_omi_backend/auth.py b/backends/advanced/src/advanced_omi_backend/auth.py
index 7c68d0b4..a87a7113 100644
--- a/backends/advanced/src/advanced_omi_backend/auth.py
+++ b/backends/advanced/src/advanced_omi_backend/auth.py
@@ -50,6 +50,14 @@ def _verify_configured(var_name: str, *, optional: bool = False) -> Optional[str
 ADMIN_PASSWORD = _verify_configured("ADMIN_PASSWORD")
 ADMIN_EMAIL = _verify_configured("ADMIN_EMAIL", optional=True) or "admin@example.com"
 
+# Accepted token issuers - comma-separated list of services whose tokens we accept
+# Default: "chronicle,ushadow" (accept tokens from both chronicle and ushadow)
+ACCEPTED_ISSUERS = [
+    iss.strip() 
+    for iss in os.getenv("ACCEPTED_TOKEN_ISSUERS", "chronicle,ushadow").split(",") 
+    if iss.strip()
+]
+logger.info(f"Accepting tokens from issuers: {ACCEPTED_ISSUERS}")
 
 class UserManager(BaseUserManager[User, PydanticObjectId]):
     """User manager with minimal customization for fastapi-users."""
@@ -98,12 +106,17 @@ async def get_user_manager(user_db=Depends(get_user_db)):
 
 
 def get_jwt_strategy() -> JWTStrategy:
-    """Get JWT strategy for token generation and validation."""
+    """Get JWT strategy for token generation and validation.
+    
+    Configures token_audience from ACCEPTED_ISSUERS plus fastapi-users:auth
+    for Chronicle's own tokens.
+    """
     return JWTStrategy(
-        secret=SECRET_KEY, lifetime_seconds=JWT_LIFETIME_SECONDS
+        secret=SECRET_KEY, 
+        lifetime_seconds=JWT_LIFETIME_SECONDS,
+        token_audience=["fastapi-users:auth"] + ACCEPTED_ISSUERS,
     )
 
-
 def generate_jwt_for_user(user_id: str, user_email: str) -> str:
     """Generate a JWT token for a user to authenticate with external services.