diff --git a/CHANGELOG.md b/CHANGELOG.md
index 81ff8750a..b942bb0ee 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,7 +8,7 @@
 - Jenkins master and agent maintenance. Add Rhel9 variant and make it default ([#1361](https://github.com/opendevstack/ods-core/pull/1361))
 - Update tailor to 1.4.0 ([#1373](https://github.com/opendevstack/ods-core/pull/1373))
 - Update Jenkins java version to jdk 21 ([#1374](https://github.com/opendevstack/ods-core/pull/1374))
-- Add new configuration for the ODS API Service ([1375](https://github.com/opendevstack/ods-core/pull/1375)) ([1377](https://github.com/opendevstack/ods-core/pull/1377))([1378](https://github.com/opendevstack/ods-core/pull/1378))([1379](https://github.com/opendevstack/ods-core/pull/1379))([1380](https://github.com/opendevstack/ods-core/pull/1380))([1382](https://github.com/opendevstack/ods-core/pull/1382))([1383](https://github.com/opendevstack/ods-core/pull/1383))
+- Add new configuration for the ODS API Service ([1375](https://github.com/opendevstack/ods-core/pull/1375)) ([1377](https://github.com/opendevstack/ods-core/pull/1377))([1378](https://github.com/opendevstack/ods-core/pull/1378))([1379](https://github.com/opendevstack/ods-core/pull/1379))([1380](https://github.com/opendevstack/ods-core/pull/1380))([1382](https://github.com/opendevstack/ods-core/pull/1382))([1383](https://github.com/opendevstack/ods-core/pull/1383)) ([1386](https://github.com/opendevstack/ods-core/pull/1386))
 - Change the way the certificates are installed in the container of ods-api-service to update the cacert ([1381](https://github.com/opendevstack/ods-core/pull/1381))
 
 ### Fixed
diff --git a/ods-api-service/chart/CONFIGURATION_GUIDE.md b/ods-api-service/chart/CONFIGURATION_GUIDE.md
index fe265dc25..139a032ef 100644
--- a/ods-api-service/chart/CONFIGURATION_GUIDE.md
+++ b/ods-api-service/chart/CONFIGURATION_GUIDE.md
@@ -254,6 +254,9 @@ externalServices:
         trustAllCertificates: true
         username: marketplace-user
         password: marketplace-password        
+        bypass:
+          audience: ${MARKETPLACE_BYPASS_AUDIENCE:}
+          scope: ${MARKETPLACE_BYPASS_SCOPE:}
 ```
 
 Generated env vars (all ConfigMap): `MARKETPLACE_DEFAULT_INSTANCE`, `MARKETPLACE_MY_MKT_PROJECT_COMPONENT_BASE_URL`, `MARKETPLACE_MY_MKT_PROVISIONER_ACTIONS_BASE_URL`,
diff --git a/ods-api-service/chart/templates/core/deployment.yaml b/ods-api-service/chart/templates/core/deployment.yaml
index eae3c865d..29b7c5bb3 100644
--- a/ods-api-service/chart/templates/core/deployment.yaml
+++ b/ods-api-service/chart/templates/core/deployment.yaml
@@ -56,6 +56,26 @@ spec:
               value: {{ .Values.env.OAUTH2_AUDIENCE | quote }}
             - name: OAUTH2_JWK_SET_URI
               value: {{ .Values.env.OAUTH2_JWK_SET_URI | quote }}
+            {{- if .Values.env.OAUTH2_AUDIENCE2 }}
+            - name: OAUTH2_AUDIENCE2
+              value: {{ .Values.env.OAUTH2_AUDIENCE2 | quote }}
+            {{- end }}
+            {{- if .Values.env.OAUTH2_ISSUER_V1 }}
+            - name: OAUTH2_ISSUER_V1
+              value: {{ .Values.env.OAUTH2_ISSUER_V1 | quote }}
+            {{- end }}
+            {{- if .Values.env.OAUTH2_JWK_SET_URI_V1 }}
+            - name: OAUTH2_JWK_SET_URI_V1
+              value: {{ .Values.env.OAUTH2_JWK_SET_URI_V1 | quote }}
+            {{- end }}
+            {{- if .Values.env.OAUTH2_ISSUER_V2 }}
+            - name: OAUTH2_ISSUER_V2
+              value: {{ .Values.env.OAUTH2_ISSUER_V2 | quote }}
+            {{- end }}
+            {{- if .Values.env.OAUTH2_JWK_SET_URI_V2 }}
+            - name: OAUTH2_JWK_SET_URI_V2
+              value: {{ .Values.env.OAUTH2_JWK_SET_URI_V2 | quote }}
+            {{- end }}
             - name: JAVA_OPTS
               value: {{ .Values.env.JAVA_OPTS | quote }}
 
diff --git a/ods-api-service/chart/templates/tpl/_application_yaml.tpl b/ods-api-service/chart/templates/tpl/_application_yaml.tpl
index 24e89064f..7f0593274 100644
--- a/ods-api-service/chart/templates/tpl/_application_yaml.tpl
+++ b/ods-api-service/chart/templates/tpl/_application_yaml.tpl
@@ -12,14 +12,6 @@ logging:
 spring:
   profiles:
     active: {{ .Values.env.SPRING_PROFILES_ACTIVE }}
-  security:
-    oauth2:
-      resourceserver:
-        jwt:
-          jwk-set-uri: ${OAUTH2_JWK_SET_URI:}
-          issuer-uri: ${OAUTH2_ISSUER:}
-          audiences:
-            - ${OAUTH2_AUDIENCE:}
   datasource:
     url: ${ODS_API_SERVICE_DB_DATASOURCE_URL}
     username: ${ODS_API_SERVICE_DB_USER:opendevstack}
@@ -37,6 +29,7 @@ spring:
       ddl-auto: ${JPA_HIBERNATE_DDL_AUTO:validate}
     properties:
       hibernate:
+        dialect: ${JPA_HIBERNATE_DIALECT:org.hibernate.dialect.PostgreSQLDialect}
         generate_statistics: ${JPA_HIBERNATE_GENERATE_STATISTICS:false}
     open-in-view: ${JPA_OPEN_IN_VIEW:false}
     show-sql: ${JPA_SHOW_SQL:false}
@@ -194,6 +187,9 @@ externalservices:
         password: ${MARKETPLACE_{{ $name | upper | replace "-" "_" }}_PASSWORD:}
         obo-scope: ${MARKETPLACE_{{ $name | upper | replace "-" "_" }}_OBO_SCOPE:}
         trust-all-certificates: ${MARKETPLACE_{{ $name | upper | replace "-" "_" }}_TRUST_ALL:false}
+        bypass:
+          audience: ${MARKETPLACE_{{ $name | upper | replace "-" "_" }}_BYPASS_AUDIENCE:}
+          scope: ${MARKETPLACE_{{ $name | upper | replace "-" "_" }}_BYPASS_SCOPE:}
 {{- end }}
 {{- else }}
     instances: {}
diff --git a/ods-api-service/chart/templates/tpl/_env_external_services.tpl b/ods-api-service/chart/templates/tpl/_env_external_services.tpl
index ebcbbd0cb..a8bc3316e 100644
--- a/ods-api-service/chart/templates/tpl/_env_external_services.tpl
+++ b/ods-api-service/chart/templates/tpl/_env_external_services.tpl
@@ -87,6 +87,8 @@ MARKETPLACE_{{ $name | upper | replace "-" "_" }}_PROVISIONER_ACTIONS_BASE_URL:
 MARKETPLACE_{{ $name | upper | replace "-" "_" }}_BITBUCKET_BASE_URL: {{ $instance.bitbucketBaseUrl | quote }}
 MARKETPLACE_{{ $name | upper | replace "-" "_" }}_TRUST_ALL: {{ $instance.trustAllCertificates | quote }}
 MARKETPLACE_{{ $name | upper | replace "-" "_" }}_OBO_SCOPE: {{ $instance.oboScope | quote }}
+MARKETPLACE_{{ $name | upper | replace "-" "_" }}_BYPASS_AUDIENCE: {{ $instance.bypass.audience | default "" | quote }}
+MARKETPLACE_{{ $name | upper | replace "-" "_" }}_BYPASS_SCOPE: {{ $instance.bypass.scope | default "" | quote }}
 
 {{- end }}
 {{- end }}
diff --git a/ods-api-service/chart/values.yaml.template b/ods-api-service/chart/values.yaml.template
index 5f4473b15..992e4598b 100644
--- a/ods-api-service/chart/values.yaml.template
+++ b/ods-api-service/chart/values.yaml.template
@@ -73,7 +73,13 @@ env:
   CERT_URLS: "$CERT_URLS"
   OAUTH2_ISSUER: "$OAUTH2_ISSUER"
   OAUTH2_AUDIENCE: "$OAUTH2_AUDIENCE"
+  OAUTH2_AUDIENCE2: "$OAUTH2_AUDIENCE2"
   OAUTH2_JWK_SET_URI: "$OAUTH2_JWK_SET_URI"
+  # Trusted JWT issuers (multi-issuer / multi-audience support)
+  OAUTH2_ISSUER_V1: "$OAUTH2_ISSUER_V1"
+  OAUTH2_JWK_SET_URI_V1: "$OAUTH2_JWK_SET_URI_V1"
+  OAUTH2_ISSUER_V2: "$OAUTH2_ISSUER_V2"
+  OAUTH2_JWK_SET_URI_V2: "$OAUTH2_JWK_SET_URI_V2"
   JAVA_OPTS: $JAVA_OPTS
 # Development-specific configuration
 config:
@@ -148,35 +154,32 @@ config:
   app:
     security:
       enabled: true
-      jwt-validation-enabled: false
-      issuer: ${OAUTH2_ISSUER:}
-      audience: ${OAUTH2_AUDIENCE:}
-      jwk-set-uri: ${OAUTH2_JWK_SET_URI:}
       public-endpoints:
         - "/actuator/health"
         - "/actuator/info"
+        - "/actuator/health/liveness"
+        - "/actuator/health/readiness"
         - "/swagger-ui/**"
         - "/swagger-ui.html"
         - "/v3/api-docs/**"
         - "/v3/api-docs.yaml/**"
         - "/swagger-resources/**"
         - "/webjars/**"
-      flows:
-        global:
-          enabled-flows:
-            - "authorization-code"
-            - "client-credentials"
-            - "on-behalf-of"
-          default-flow: "client-credentials"
-        apis:
-          project:
-            default-flow: "client-credentials"
-            endpoints:
-              - pattern: "/api/v1/projects/*/users/**"
-                flows: ["client-credentials"]
-                require-authentication: true
-              - pattern: "/api/v1/projects/*/platforms/**"
-                permit-all: true
+      # On-Behalf-Of (OBO) token exchange against the identity provider
+      obo:
+        token-url: ${OBO_TOKEN_URL:https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/v2.0/token}
+        client-id: ${OBO_CLIENT_ID}
+        client-secret: ${OBO_CLIENT_SECRET}
+      # Audience values accepted by this API. A valid token must carry at least one of these.
+      audiences:
+        - ${OAUTH2_AUDIENCE:}
+        - ${OAUTH2_AUDIENCE2:}
+      # Trusted JWT issuers. Each entry pairs an issuer URI (iss claim) with its JWK set URI.
+      issuers:
+        - issuer-uri: ${OAUTH2_ISSUER_V1:}
+          jwk-set-uri: ${OAUTH2_JWK_SET_URI_V1:}
+        - issuer-uri: ${OAUTH2_ISSUER_V2:}
+          jwk-set-uri: ${OAUTH2_JWK_SET_URI_V2:}
   environment: dev
 # External Services Secrets
 externalServices:
@@ -274,7 +277,10 @@ externalServices:
     #   dev:
     #     projectComponentsBaseUrl: "$MARKETPLACE_DEV_PROJECT_COMPONENTS_BASE_URL"
     #     provisionerActionsBaseUrl: "$MARKETPLACE_DEV_PROVISIONER_ACTIONS_BASE_URL"
-    #     oboScope: "$MARKETPLACE_DEV_OBO_SCOPE" 
+    #     oboScope: "$MARKETPLACE_DEV_OBO_SCOPE"
+    #     bypass:
+    #       audience: "$MARKETPLACE_DEV_BYPASS_AUDIENCE"
+    #       scope: "$MARKETPLACE_DEV_BYPASS_SCOPE"
     #     bitbucketBaseUrl: "$_BITBUCKET_BASE_URL"
     #     trustAllCertificates: false
     #     username: ""  # Set in secrets.dev.enc.yaml