diff --git a/src/api/auth/src/token.js b/src/api/auth/src/token.js
index 73759c3334..1120e226a5 100644
--- a/src/api/auth/src/token.js
+++ b/src/api/auth/src/token.js
@@ -1,5 +1,7 @@
 const jwt = require('jsonwebtoken');
 
+const { JWT_ISSUER, JWT_AUDIENCE } = process.env;
+
 // TODO - proper signing with RS256 keys
 const secret = 'TODO - use RS256 signing...';
 const issuer = process.env.JWT_ISSUER;
@@ -8,11 +10,12 @@ function createToken(audience, subject) {
   // TODO - figure out all the various claims we need to use
   const payload = {
     // The token is issued by us (e.g., this server)
-    iss: process.env.JWT_ISSUER,
-    // It is intended for the app running at the specified origin
-    aud: audience,
+    iss: JWT_ISSUER,
+    // It is intended for the services running at this api origin
+    aud: JWT_AUDIENCE,
     // The subject of this token, the user
     sub: subject,
+    // TODO: role info (e.g., admin)
   };
 
   const options = { expiresIn: process.env.JWT_EXPIRES_IN || '1h' };