diff --git a/WorkFlow.API/Program.cs b/WorkFlow.API/Program.cs
index 129fa1b..886a2e4 100644
--- a/WorkFlow.API/Program.cs
+++ b/WorkFlow.API/Program.cs
@@ -47,9 +47,10 @@ try
     else
         throw new("The API Key Authorization configuration is not available in the app settings, even though the app is not in development or DiP mode and API Key Authorization is not disabled.");
 
+    // Created separately from AuthClientParams (added via options) for use in Jwt Bearer configuration
     var authPublicKey = config.GetSection("AuthPublicKey").Get<ClientPublicKey>() ?? throw new InvalidOperationException("The AuthPublicKey configuration is missing or invalid.");
 
-    builder.Services.AddAuthHubClient(config.GetSection("AuthClientParams"));
+    builder.Services.AddAuthHubClient(config.GetSection("AuthClientParams"), opt => opt.PublicKeys.Add(authPublicKey));
 
     builder.Services.AddControllers();
 
@@ -62,7 +63,11 @@ try
                 IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
                 {
                     return [authPublicKey.SecurityKey];
-                }
+                },
+                ValidateIssuer = true,
+                ValidIssuer = authPublicKey.Issuer,
+                ValidateAudience = true,
+                ValidAudience = authPublicKey.Audience
             };
         });
 
diff --git a/WorkFlow.API/appsettings.json b/WorkFlow.API/appsettings.json
index 5a9244a..98a631e 100644
--- a/WorkFlow.API/appsettings.json
+++ b/WorkFlow.API/appsettings.json
@@ -79,11 +79,10 @@
   },
   "AuthClientParams": {
     "Url": "https://localhost:7192",
-    "PublicKeys": [
-      {
-        "Issuer": "auth.digitaldata.works",
-        "Audience": "work-flow.digitaldata.works"
-      }
-    ]
+    "PublicKeys": []
+  },
+  "AuthPublicKey": {
+    "Issuer": "auth.digitaldata.works",
+    "Audience": "work-flow.digitaldata.works"
   }
 }
\ No newline at end of file