diff --git a/pkg/oidc/token.go b/pkg/oidc/token.go
index a75b976..5a0e8c9 100644
--- a/pkg/oidc/token.go
+++ b/pkg/oidc/token.go
@@ -48,8 +48,11 @@ func EmptyAccessTokenClaims() AccessTokenClaims {
 	return new(accessTokenClaims)
 }
 
-func NewAccessTokenClaims(issuer, subject string, audience []string, expiration time.Time, id string) AccessTokenClaims {
+func NewAccessTokenClaims(issuer, subject string, audience []string, expiration time.Time, id, clientID string) AccessTokenClaims {
 	now := time.Now().UTC()
+	if len(audience) == 0 {
+		audience = append(audience, clientID)
+	}
 	return &accessTokenClaims{
 		Issuer:     issuer,
 		Subject:    subject,
diff --git a/pkg/op/token.go b/pkg/op/token.go
index 4fd4c0a..057ab5b 100644
--- a/pkg/op/token.go
+++ b/pkg/op/token.go
@@ -83,7 +83,7 @@ func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error) {
 }
 
 func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, id string, signer Signer, client Client, storage Storage) (string, error) {
-	claims := oidc.NewAccessTokenClaims(issuer, tokenRequest.GetSubject(), tokenRequest.GetAudience(), exp, id)
+	claims := oidc.NewAccessTokenClaims(issuer, tokenRequest.GetSubject(), tokenRequest.GetAudience(), exp, id, client.GetID())
 	if client != nil {
 		restrictedScopes := client.RestrictAdditionalAccessTokenScopes()(tokenRequest.GetScopes())
 		privateClaims, err := storage.GetPrivateClaimsFromScopes(ctx, tokenRequest.GetSubject(), client.GetID(), removeUserinfoScopes(restrictedScopes))