diff --git a/pkg/authentication/authenticatorfactory/loopback.go b/pkg/authentication/authenticatorfactory/loopback.go
index f31656529..fe51afcbc 100644
--- a/pkg/authentication/authenticatorfactory/loopback.go
+++ b/pkg/authentication/authenticatorfactory/loopback.go
@@ -24,6 +24,6 @@ import (
 )
 
 // NewFromTokens returns an authenticator.Request or an error
-func NewFromTokens(tokens map[string]*user.DefaultInfo) authenticator.Request {
-	return bearertoken.New(tokenfile.New(tokens))
+func NewFromTokens(tokens map[string]*user.DefaultInfo, audiences authenticator.Audiences) authenticator.Request {
+	return bearertoken.New(authenticator.WrapAudienceAgnosticToken(audiences, tokenfile.New(tokens)))
 }
diff --git a/pkg/server/config.go b/pkg/server/config.go
index 12d18796e..5536e8cac 100644
--- a/pkg/server/config.go
+++ b/pkg/server/config.go
@@ -858,7 +858,7 @@ func AuthorizeClientBearerToken(loopback *restclient.Config, authn *Authenticati
 		Groups: []string{user.SystemPrivilegedGroup},
 	}
 
-	tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens)
+	tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, authn.APIAudiences)
 	authn.Authenticator = authenticatorunion.New(tokenAuthenticator, authn.Authenticator)
 
 	tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)