diff --git a/internal/config.go b/internal/config.go
index 1515013..8e2139f 100644
--- a/internal/config.go
+++ b/internal/config.go
@@ -45,6 +45,7 @@ type TokenOptions struct {
 	Forwarding bool          `yaml:"forwarding"`
 	Refresh    bool          `yaml:"refresh"`
 	Scope      []string      `yaml:"scope"`
+	//TODO: allow specifying audience in returned token
 }
 
 type Authentication struct {
@@ -55,9 +56,10 @@ type Authentication struct {
 }
 
 type Authorization struct {
+	Token     TokenOptions `yaml:"token"`
 	Endpoints Endpoints    `yaml:"endpoints"`
 	KeyPath   string       `yaml:"key-path"`
-	Token     TokenOptions `yaml:"token"`
+	Audience  []string     `yaml:"audience"` // NOTE: overrides the "aud" claim in token sent to authorization server
 }
 
 type Config struct {
diff --git a/internal/flows/jwt_bearer.go b/internal/flows/jwt_bearer.go
index b73ebdc..2e93265 100644
--- a/internal/flows/jwt_bearer.go
+++ b/internal/flows/jwt_bearer.go
@@ -23,6 +23,7 @@ type JwtBearerFlowParams struct {
 	// IdentityProvider *oidc.IdentityProvider
 	TrustedIssuer *oauth.TrustedIssuer
 	Client        *oauth.Client
+	Audience      []string
 	Refresh       bool
 	Verbose       bool
 	KeyPath       string
@@ -143,6 +144,11 @@ func NewJwtBearerFlow(eps JwtBearerFlowEndpoints, params JwtBearerFlowParams) (s
 	payload["exp"] = time.Now().Add(time.Second * 3600 * 16).Unix()
 	payload["sub"] = "opaal"
 
+	// if an "audience" value is set, then override the token endpoint value
+	if len(params.Audience) > 0 {
+		payload["aud"] = params.Audience
+	}
+
 	// include the offline_access scope if refresh tokens are enabled
 	if params.Refresh {
 		v, ok := payload["scope"]
diff --git a/internal/login.go b/internal/login.go
index d542974..ab51747 100644
--- a/internal/login.go
+++ b/internal/login.go
@@ -60,8 +60,9 @@ func Login(config *Config) error {
 					ExpiresAt:       time.Now().Add(config.Authorization.Token.Duration),
 					Scope:           []string{},
 				},
-				Verbose: config.Options.Verbose,
-				Refresh: config.Authorization.Token.Refresh,
+				Verbose:  config.Options.Verbose,
+				Refresh:  config.Authorization.Token.Refresh,
+				Audience: config.Authorization.Audience,
 			},
 			ClientCredentialsEndpoints: flows.ClientCredentialsFlowEndpoints{
 				Clients:   config.Authorization.Endpoints.Clients,