diff --git a/Gateway/Security/ClientAuthMiddleware.cs b/Gateway/Security/ClientAuthMiddleware.cs
index ca08c2c..f4da4a6 100644
--- a/Gateway/Security/ClientAuthMiddleware.cs
+++ b/Gateway/Security/ClientAuthMiddleware.cs
@@ -239,13 +239,13 @@ public sealed class ClientAuthMiddleware
                 var data = root.TryGetProperty("data", out var dataProp) ? dataProp : root;
 
                 clientContext.SessionId = data.TryGetProperty("sessionId", out var sid) ? sid.GetString() : null;
-                clientContext.ClientId       = data.TryGetProperty("clientId",       out var cid)  ? cid.GetString()  : null;
-                clientContext.ClientName     = data.TryGetProperty("clientName",     out var cn)   ? cn.GetString()   : null;
+                clientContext.ClientId = data.TryGetProperty("clientId", out var cid) ? cid.GetString() : null;
+                clientContext.ClientName = data.TryGetProperty("clientName", out var cn) ? cn.GetString() : null;
                 clientContext.ClientCategory = data.TryGetProperty("clientCategory", out var ccat) ? ccat.GetString() : null;
-                clientContext.UserId         = data.TryGetProperty("userId",         out var uid)  ? uid.GetString()  : null;
-                clientContext.Email          = data.TryGetProperty("userEmail",      out var ue)   ? ue.GetString()   : null;
-                clientContext.Role           = data.TryGetProperty("role",           out var role) ? role.GetString() : null;
-                clientContext.IsDevBypass    = false;
+                clientContext.UserId = data.TryGetProperty("userId", out var uid) ? uid.GetString() : null;
+                clientContext.Email = data.TryGetProperty("userEmail", out var ue) ? ue.GetString() : null;
+                clientContext.Role = data.TryGetProperty("role", out var role) ? role.GetString() : null;
+                clientContext.IsDevBypass = false;
 
                 _logger.LogWarning("[Auth] Session validated OK | ClientId={ClientId} Email={Email} | Corr={Corr}",
                     clientContext.ClientId, clientContext.Email, corrId);
@@ -357,7 +357,11 @@ public sealed class ClientAuthMiddleware
             var validationParams = new TokenValidationParameters
             {
                 ValidateIssuer = true,
-                ValidIssuers = new[] { $"{instance.TrimEnd('/')}/{tenantId}/v2.0" },
+                ValidIssuers = new[]
+                {
+                    $"https://login.microsoftonline.com/{tenantId}/v2.0",
+                    $"https://sts.windows.net/{tenantId}/"
+                },
 
                 ValidateAudience = true,
                 ValidAudiences = validAudiences,