diff --git a/app/auth.py b/app/auth.py
index f066c57..eb5f278 100644
--- a/app/auth.py
+++ b/app/auth.py
@@ -122,15 +122,22 @@ async def _validate_token(token: str) -> Optional[dict]:
             logger.warning("JWT kid %s not found in JWKS", kid)
             return None
 
+        # Keycloak setzt aud="account" für Public Clients, nicht den
+        # client_id. Prüfe azp (authorized party) statt aud, und
+        # deaktiviere den strikten aud-Check.
         payload = jwt.decode(
             token,
             rsa_key,
             algorithms=["RS256"],
-            audience=settings.keycloak_client_id,
             issuer=_keycloak_issuer(),
-            options={"verify_exp": True},
+            options={"verify_exp": True, "verify_aud": False},
         )
 
+        # azp muss unserem Client entsprechen
+        if payload.get("azp") != settings.keycloak_client_id:
+            logger.warning("JWT azp %s != expected %s", payload.get("azp"), settings.keycloak_client_id)
+            return None
+
         return {
             "sub": payload.get("sub"),
             "email": payload.get("email", ""),