diff --git a/DysonNetwork.Pass/Auth/OidcProvider/Services/OidcProviderService.cs b/DysonNetwork.Pass/Auth/OidcProvider/Services/OidcProviderService.cs
index d3be946..e9fd98f 100644
--- a/DysonNetwork.Pass/Auth/OidcProvider/Services/OidcProviderService.cs
+++ b/DysonNetwork.Pass/Auth/OidcProvider/Services/OidcProviderService.cs
@@ -156,15 +156,16 @@ public class OidcProviderService(
 
         var claims = new List<Claim>
         {
-            new Claim(JwtRegisteredClaimNames.Iss, _options.IssuerUri),
-            new Claim(JwtRegisteredClaimNames.Sub, session.AccountId.ToString()),
-            new Claim(JwtRegisteredClaimNames.Aud, client.Id.ToString()),
-            new Claim(JwtRegisteredClaimNames.Iat, now.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64),
-            new Claim(JwtRegisteredClaimNames.Exp,
+            new(JwtRegisteredClaimNames.Iss, _options.IssuerUri),
+            new(JwtRegisteredClaimNames.Sub, session.AccountId.ToString()),
+            new(JwtRegisteredClaimNames.Aud, client.Id.ToString()),
+            new(JwtRegisteredClaimNames.Iat, now.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64),
+            new(JwtRegisteredClaimNames.Exp,
                 now.Plus(Duration.FromSeconds(_options.AccessTokenLifetime.TotalSeconds)).ToUnixTimeSeconds()
                     .ToString(), ClaimValueTypes.Integer64),
-            new Claim(JwtRegisteredClaimNames.AuthTime, session.CreatedAt.ToUnixTimeSeconds().ToString(),
-                ClaimValueTypes.Integer64)
+            new(JwtRegisteredClaimNames.AuthTime, session.CreatedAt.ToUnixTimeSeconds().ToString(),
+                ClaimValueTypes.Integer64),
+            new(JwtRegisteredClaimNames.Aud, client.Id)
         };
 
         // Add nonce if provided (required for implicit and hybrid flows)
@@ -300,7 +301,7 @@ public class OidcProviderService(
                 new Claim(JwtRegisteredClaimNames.Jti, session.Id.ToString()),
                 new Claim(JwtRegisteredClaimNames.Iat, now.ToUnixTimeSeconds().ToString(),
                     ClaimValueTypes.Integer64),
-                new Claim("client_id", client.Id)
+                new Claim(JwtRegisteredClaimNames.Aud, client.Id)
             ]),
             Expires = expiresAt.ToDateTimeUtc(),
             Issuer = _options.IssuerUri,
diff --git a/DysonNetwork.Pass/Auth/TokenAuthService.cs b/DysonNetwork.Pass/Auth/TokenAuthService.cs
index 849431e..88163ca 100644
--- a/DysonNetwork.Pass/Auth/TokenAuthService.cs
+++ b/DysonNetwork.Pass/Auth/TokenAuthService.cs
@@ -1,3 +1,4 @@
+using System.IdentityModel.Tokens.Jwt;
 using System.Security.Cryptography;
 using System.Text;
 using DysonNetwork.Pass.Wallet;
diff --git a/DysonNetwork.Pusher/Connection/WebSocketController.cs b/DysonNetwork.Pusher/Connection/WebSocketController.cs
index 352ad1e..cdc59ff 100644
--- a/DysonNetwork.Pusher/Connection/WebSocketController.cs
+++ b/DysonNetwork.Pusher/Connection/WebSocketController.cs
@@ -24,7 +24,7 @@ public class WebSocketController(WebSocketService ws, ILogger<WebSocketContext>
         }
 
         var accountId = currentUser.Id!;
-        var deviceId = currentSession.Challenge.DeviceId!;
+        var deviceId = currentSession.Challenge?.DeviceId ?? Guid.NewGuid().ToString();
 
         if (string.IsNullOrEmpty(deviceId))
         {
@@ -67,7 +67,11 @@ public class WebSocketController(WebSocketService ws, ILogger<WebSocketContext>
         catch (Exception ex)
         {
             logger.LogError(ex,
-                "WebSocket disconnected with user @{UserName}#{UserId} and device #{DeviceId} unexpectedly");
+                "WebSocket disconnected with user @{UserName}#{UserId} and device #{DeviceId} unexpectedly",
+                currentUser.Name,
+                currentUser.Id,
+                deviceId
+            );
         }
         finally
         {