diff --git a/.env.example b/.env.example
index 4f5eb8a..9a91fed 100644
--- a/.env.example
+++ b/.env.example
@@ -7,7 +7,7 @@ POSTGRES_PASSWORD=changeme
 
 # Auth
 AUTH__AUTHORITY=https://auth.stwaddle.com
-AUTH__AUDIENCE=budget-api
+AUTH__AUDIENCE=budget_api
 
 # Client (baked into Vite build)
 VITE_AUTH_AUTHORITY=https://auth.stwaddle.com
diff --git a/src/Budget.Api/Program.cs b/src/Budget.Api/Program.cs
index 39635cd..7dd64be 100644
--- a/src/Budget.Api/Program.cs
+++ b/src/Budget.Api/Program.cs
@@ -22,11 +22,14 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
     {
         options.Authority = builder.Configuration["AUTH__AUTHORITY"];
         options.Audience = builder.Configuration["AUTH__AUDIENCE"];
+        options.MapInboundClaims = false;
         options.TokenValidationParameters = new TokenValidationParameters
         {
             ValidateIssuer = true,
             ValidateAudience = true,
             ValidateLifetime = true,
+            RoleClaimType = "role",
+            NameClaimType = "sub",
         };
     });
 
@@ -49,9 +52,8 @@ app.UseDefaultFiles();
 app.UseStaticFiles();
 
 app.UseAuthentication();
-app.UseAuthorization();
-
 app.UseMiddleware<KnownUserMiddleware>();
+app.UseAuthorization();
 
 app.MapControllers();
 app.MapHealthChecks("/healthz", new HealthCheckOptions
@@ -62,7 +64,7 @@ app.MapHealthChecks("/healthz", new HealthCheckOptions
         [HealthStatus.Degraded] = StatusCodes.Status200OK,
         [HealthStatus.Unhealthy] = StatusCodes.Status503ServiceUnavailable,
     }
-}).RequireAuthorization();
+});
 
 app.MapFallbackToFile("index.html");
 
diff --git a/src/Budget.Client/src/auth/authConfig.ts b/src/Budget.Client/src/auth/authConfig.ts
index 7150098..1a2acb7 100644
--- a/src/Budget.Client/src/auth/authConfig.ts
+++ b/src/Budget.Client/src/auth/authConfig.ts
@@ -5,7 +5,7 @@ export const authConfig: UserManagerSettings = {
   client_id: import.meta.env.VITE_AUTH_CLIENT_ID,
   redirect_uri: import.meta.env.VITE_AUTH_REDIRECT_URI,
   response_type: 'code',
-  scope: 'openid profile email',
+  scope: 'openid profile email offline_access budget_api',
   post_logout_redirect_uri: import.meta.env.VITE_AUTH_REDIRECT_URI?.replace('/callback', ''),
   automaticSilentRenew: true,
 };