diff --git a/backend/src/Squidex/Config/Authentication/IdentityServerServices.cs b/backend/src/Squidex/Config/Authentication/IdentityServerServices.cs
index 5640ccc63..e75da07fa 100644
--- a/backend/src/Squidex/Config/Authentication/IdentityServerServices.cs
+++ b/backend/src/Squidex/Config/Authentication/IdentityServerServices.cs
@@ -5,10 +5,14 @@
 //  All rights reserved. Licensed under the MIT license.
 // ==========================================================================
 
+using IdentityModel.AspNetCore.OAuth2Introspection;
+using IdentityServer4.AccessTokenValidation;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Squidex.Infrastructure;
 using Squidex.Web;
 
 namespace Squidex.Config.Authentication
@@ -17,9 +21,41 @@ namespace Squidex.Config.Authentication
     {
         public static AuthenticationBuilder AddSquidexIdentityServerAuthentication(this AuthenticationBuilder authBuilder, MyIdentityOptions identityOptions, IConfiguration config)
         {
-            if (!string.IsNullOrWhiteSpace(identityOptions.AuthorityUrl))
+            var apiScope = Constants.ApiScope;
+
+            var urlsOptions = config.GetSection("urls").Get<UrlsOptions>();
+
+            if (!string.IsNullOrWhiteSpace(urlsOptions.BaseUrl))
             {
-                var apiAuthorityUrl = identityOptions.AuthorityUrl;
+                string apiAuthorityUrl;
+
+                if (!string.IsNullOrWhiteSpace(identityOptions.AuthorityUrl))
+                {
+                    apiAuthorityUrl = identityOptions.AuthorityUrl.BuildFullUrl(Constants.IdentityServerPrefix);
+                }
+                else
+                {
+                    apiAuthorityUrl = urlsOptions.BuildUrl(Constants.IdentityServerPrefix);
+                }
+
+                authBuilder.AddIdentityServerAuthentication(options =>
+                {
+                    options.Authority = apiAuthorityUrl;
+                    options.ApiName = apiScope;
+                    options.ApiSecret = null;
+                    options.RequireHttpsMetadata = identityOptions.RequiresHttps;
+                    options.SupportedTokens = SupportedTokens.Jwt;
+
+                    var fromHeader = TokenRetrieval.FromAuthorizationHeader();
+                    var fromQuery = TokenRetrieval.FromQueryString();
+
+                    options.TokenRetriever = request =>
+                    {
+                        var result = fromHeader(request) ?? fromQuery(request);
+
+                        return result;
+                    };
+                });
 
                 authBuilder.AddOpenIdConnect(options =>
                 {
@@ -35,13 +71,11 @@ namespace Squidex.Config.Authentication
                     options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                 });
             }
-            else
+
+            authBuilder.AddLocalApi(Constants.ApiSecurityScheme, options =>
             {
-                authBuilder.AddLocalApi(Constants.ApiSecurityScheme, options =>
-                {
-                    options.ExpectedScope = Constants.ApiScope;
-                });
-            }
+                options.ExpectedScope = Constants.ApiScope;
+            });
 
             return authBuilder;
         }