diff --git a/security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java b/security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java
index fe97b5d2d23..de1d6281e91 100644
--- a/security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java
+++ b/security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java
@@ -168,12 +168,14 @@ private AuthenticationResponse authenticateToken(String token) {
             if (errors.isValid()) {
                 Jwt jwt = signedJwt.getJwt();
                 // perform all validations, including expected audience verification
-                JwtValidator jwtValidator = JwtValidator.builder()
+                JwtValidator.Builder jwtValidatorBuilder = JwtValidator.builder()
                         .addDefaultTimeValidators()
                         .addCriticalValidator()
-                        .addUserPrincipalValidator()
-                        .addAudienceValidator(expectedAudience)
-                        .build();
+                        .addUserPrincipalValidator();
+                if (expectedAudience != null) {
+                    jwtValidatorBuilder.addAudienceValidator(expectedAudience);
+                }
+                JwtValidator jwtValidator =  jwtValidatorBuilder.build();
                 Errors validate = jwtValidator.validate(jwt);
                 if (validate.isValid()) {
                     return AuthenticationResponse.success(buildSubject(jwt, signedJwt));