diff --git a/api/v1alpha1/oauth2client_types.go b/api/v1alpha1/oauth2client_types.go
index aefae6a..92efca9 100644
--- a/api/v1alpha1/oauth2client_types.go
+++ b/api/v1alpha1/oauth2client_types.go
@@ -83,6 +83,9 @@ type OAuth2ClientSpec struct {
 	// RedirectURIs is an array of the redirect URIs allowed for the application
 	RedirectURIs []RedirectURI `json:"redirectUris,omitempty"`
 
+	// Audience is a whitelist defining the audiences this client is allowed to request tokens for
+	Audience []string `json:"audience,omitempty"`
+
 	// +kubebuilder:validation:Pattern=([a-zA-Z0-9\.\*]+\s?)+
 	//
 	// Scope is a string containing a space-separated list of scope values (as
@@ -169,6 +172,7 @@ func (c *OAuth2Client) ToOAuth2ClientJSON() *hydra.OAuth2ClientJSON {
 		GrantTypes:              grantToStringSlice(c.Spec.GrantTypes),
 		ResponseTypes:           responseToStringSlice(c.Spec.ResponseTypes),
 		RedirectURIs:            redirectToStringSlice(c.Spec.RedirectURIs),
+		Audience:                c.Spec.Audience,
 		Scope:                   c.Spec.Scope,
 		Owner:                   fmt.Sprintf("%s/%s", c.Name, c.Namespace),
 		TokenEndpointAuthMethod: string(c.Spec.TokenEndpointAuthMethod),
diff --git a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
index 85e2bad..144f312 100644
--- a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
+++ b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
@@ -437,6 +437,11 @@ spec:
                 pattern: \w+:/?/?[^\s]+
                 type: string
               type: array
+            audience:
+              description: Audience is a whitelist defining the audiences this client is allowed to request tokens for
+              items:
+                type: string
+              type: array
             responseTypes:
               description: ResponseTypes is an array of the OAuth 2.0 response type
                 strings that the client can use at the authorization endpoint.
diff --git a/config/samples/hydra_v1alpha1_oauth2client.yaml b/config/samples/hydra_v1alpha1_oauth2client.yaml
index c10b7f8..a53eb99 100644
--- a/config/samples/hydra_v1alpha1_oauth2client.yaml
+++ b/config/samples/hydra_v1alpha1_oauth2client.yaml
@@ -19,6 +19,9 @@ spec:
   redirectUris:
     - https://client/account
     - http://localhost:8080
+  audience:
+    - audience-a
+    - audience-b
   hydraAdmin:
     # if hydraAdmin is specified, all of these fields are requried,
     # but they can be empty/0
diff --git a/config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml b/config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml
index 3390038..6fc6a00 100644
--- a/config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml
+++ b/config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml
@@ -29,6 +29,9 @@ spec:
   redirectUris:
     - https://client/account
     - http://localhost:8080
+  audience:
+    - audience-a
+    - audience-b
   hydraAdmin:
     # if hydraAdmin is specified, all of these fields are requried,
     # but they can be empty/0
diff --git a/controllers/oauth2client_controller_integration_test.go b/controllers/oauth2client_controller_integration_test.go
index 3ca563e..25e57b6 100644
--- a/controllers/oauth2client_controller_integration_test.go
+++ b/controllers/oauth2client_controller_integration_test.go
@@ -70,6 +70,7 @@ var _ = Describe("OAuth2Client Controller", func() {
 						ResponseTypes: o.ResponseTypes,
 						RedirectURIs:  o.RedirectURIs,
 						Scope:         o.Scope,
+						Audience:      o.Audience,
 						Owner:         o.Owner,
 					}
 				}, func(o *hydra.OAuth2ClientJSON) error {
@@ -214,6 +215,7 @@ var _ = Describe("OAuth2Client Controller", func() {
 						GrantTypes:    o.GrantTypes,
 						ResponseTypes: o.ResponseTypes,
 						RedirectURIs:  o.RedirectURIs,
+						Audience:      o.Audience,
 						Scope:         o.Scope,
 						Owner:         o.Owner,
 					}
@@ -402,6 +404,7 @@ func testInstance(name, secretName string) *hydrav1alpha1.OAuth2Client {
 			ResponseTypes: []hydrav1alpha1.ResponseType{"token"},
 			Scope:         "a b c",
 			RedirectURIs:  []hydrav1alpha1.RedirectURI{"https://example.com"},
+			Audience:      []string{"audience-a"},
 			SecretName:    secretName,
 			HydraAdmin: hydrav1alpha1.HydraAdmin{
 				URL:            "http://hydra-admin",
diff --git a/hydra/client_test.go b/hydra/client_test.go
index c27a577..606eb69 100644
--- a/hydra/client_test.go
+++ b/hydra/client_test.go
@@ -23,8 +23,8 @@ const (
 
 	testID            = "test-id"
 	testClient        = `{"client_id":"test-id","owner":"test-name","scope":"some,scopes","grant_types":["type1"],"token_endpoint_auth_method":"client_secret_basic"}`
-	testClientCreated = `{"client_id":"test-id-2","client_secret":"TmGkvcY7k526","owner":"test-name-2","scope":"some,other,scopes","grant_types":["type2"],"token_endpoint_auth_method":"client_secret_basic"}`
-	testClientUpdated = `{"client_id":"test-id-3","client_secret":"xFoPPm654por","owner":"test-name-3","scope":"yet,another,scope","grant_types":["type3"],"token_endpoint_auth_method":"client_secret_basic"}`
+	testClientCreated = `{"client_id":"test-id-2","client_secret":"TmGkvcY7k526","owner":"test-name-2","scope":"some,other,scopes","grant_types":["type2"],"audience":["audience-a","audience-b"],"token_endpoint_auth_method":"client_secret_basic"}`
+	testClientUpdated = `{"client_id":"test-id-3","client_secret":"xFoPPm654por","owner":"test-name-3","scope":"yet,another,scope","grant_types":["type3"],"audience":["audience-c"],"token_endpoint_auth_method":"client_secret_basic"}`
 	testClientList    = `{"client_id":"test-id-4","owner":"test-name-4","scope":"scope1 scope2","grant_types":["type4"],"token_endpoint_auth_method":"client_secret_basic"}`
 	testClientList2   = `{"client_id":"test-id-5","owner":"test-name-5","scope":"scope3 scope4","grant_types":["type5"],"token_endpoint_auth_method":"client_secret_basic"}`
 
@@ -43,6 +43,7 @@ var testOAuthJSONPost = &hydra.OAuth2ClientJSON{
 	Scope:      "some,other,scopes",
 	GrantTypes: []string{"type2"},
 	Owner:      "test-name-2",
+	Audience:   []string{"audience-a", "audience-b"},
 }
 
 var testOAuthJSONPut = &hydra.OAuth2ClientJSON{
@@ -50,6 +51,7 @@ var testOAuthJSONPut = &hydra.OAuth2ClientJSON{
 	Scope:      "yet,another,scope",
 	GrantTypes: []string{"type3"},
 	Owner:      "test-name-3",
+	Audience:   []string{"audience-c"},
 }
 
 func TestCRUD(t *testing.T) {
@@ -170,6 +172,7 @@ func TestCRUD(t *testing.T) {
 					assert.Equal(testOAuthJSONPost.Scope, o.Scope)
 					assert.Equal(testOAuthJSONPost.GrantTypes, o.GrantTypes)
 					assert.Equal(testOAuthJSONPost.Owner, o.Owner)
+					assert.Equal(testOAuthJSONPost.Audience, o.Audience)
 					assert.NotNil(o.Secret)
 					assert.NotNil(o.ClientID)
 					assert.NotNil(o.TokenEndpointAuthMethod)
@@ -228,6 +231,7 @@ func TestCRUD(t *testing.T) {
 					assert.Equal(testOAuthJSONPut.GrantTypes, o.GrantTypes)
 					assert.Equal(testOAuthJSONPut.ClientID, o.ClientID)
 					assert.Equal(testOAuthJSONPut.Owner, o.Owner)
+					assert.Equal(testOAuthJSONPut.Audience, o.Audience)
 					assert.NotNil(o.Secret)
 				}
 			})
diff --git a/hydra/types.go b/hydra/types.go
index 380efdd..065d6f1 100644
--- a/hydra/types.go
+++ b/hydra/types.go
@@ -9,6 +9,7 @@ type OAuth2ClientJSON struct {
 	GrantTypes              []string `json:"grant_types"`
 	RedirectURIs            []string `json:"redirect_uris,omitempty"`
 	ResponseTypes           []string `json:"response_types,omitempty"`
+	Audience                []string `json:"audience,omitempty"`
 	Scope                   string   `json:"scope"`
 	Owner                   string   `json:"owner"`
 	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method,omitempty"`