diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
index af4e68a8..c70c1d2c 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -80,6 +80,13 @@ public class OidcTokenExchanger {
         log.info("OIDC token exchange: tokenEndpoint={}, redirectUri={}", metadata.getTokenEndpointURI(), redirectUri);
 
         var httpRequest = tokenRequest.toHTTPRequest();
+        // RFC 8707: include resource indicator in token exchange to get a JWT access token
+        String configAudience = config.audience() != null ? config.audience() : "";
+        if (!configAudience.isBlank()) {
+            String body = httpRequest.getBody();
+            body += "&resource=" + java.net.URLEncoder.encode(configAudience, java.nio.charset.StandardCharsets.UTF_8);
+            httpRequest.setBody(body);
+        }
         if (securityProperties.isOidcTlsSkipVerify()) {
             httpRequest.setSSLSocketFactory(InsecureTlsHelper.socketFactory());
             httpRequest.setHostnameVerifier(InsecureTlsHelper.hostnameVerifier());