diff --git a/DysonNetwork.Pass/Auth/OidcProvider/Services/OidcProviderService.cs b/DysonNetwork.Pass/Auth/OidcProvider/Services/OidcProviderService.cs
index e9fd98f..9331924 100644
--- a/DysonNetwork.Pass/Auth/OidcProvider/Services/OidcProviderService.cs
+++ b/DysonNetwork.Pass/Auth/OidcProvider/Services/OidcProviderService.cs
@@ -158,14 +158,13 @@ public class OidcProviderService(
         {
             new(JwtRegisteredClaimNames.Iss, _options.IssuerUri),
             new(JwtRegisteredClaimNames.Sub, session.AccountId.ToString()),
-            new(JwtRegisteredClaimNames.Aud, client.Id.ToString()),
+            new(JwtRegisteredClaimNames.Aud, client.Slug),
             new(JwtRegisteredClaimNames.Iat, now.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64),
             new(JwtRegisteredClaimNames.Exp,
                 now.Plus(Duration.FromSeconds(_options.AccessTokenLifetime.TotalSeconds)).ToUnixTimeSeconds()
                     .ToString(), ClaimValueTypes.Integer64),
             new(JwtRegisteredClaimNames.AuthTime, session.CreatedAt.ToUnixTimeSeconds().ToString(),
                 ClaimValueTypes.Integer64),
-            new(JwtRegisteredClaimNames.Aud, client.Id)
         };
 
         // Add nonce if provided (required for implicit and hybrid flows)
@@ -301,11 +300,10 @@ public class OidcProviderService(
                 new Claim(JwtRegisteredClaimNames.Jti, session.Id.ToString()),
                 new Claim(JwtRegisteredClaimNames.Iat, now.ToUnixTimeSeconds().ToString(),
                     ClaimValueTypes.Integer64),
-                new Claim(JwtRegisteredClaimNames.Aud, client.Id)
             ]),
             Expires = expiresAt.ToDateTimeUtc(),
             Issuer = _options.IssuerUri,
-            Audience = client.Id
+            Audience = client.Slug
         };
 
         // Try to use RSA signing if keys are available, fall back to HMAC