diff --git a/cmd/serve.go b/cmd/serve.go
index 1749bde..676852d 100644
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -102,14 +102,14 @@ func serve(ctx context.Context) {
 		"address", viper.GetString("listen"),
 	)
 
-	logger.Infow("oidc enabled", "oidc", viper.GetString("oidc"))
-
-	var authCfgs []ginjwt.AuthConfig
 	if viper.GetViper().GetBool("oidc.enabled") {
-		authCfgs, err = ginjwt.GetAuthConfigsFromFlags(viper.GetViper())
-		if err != nil {
-			logger.Fatal(err)
+		logger.Infow("OIDC enabled")
+
+		if len(config.AppConfig.APIServerJWTAuth) == 0 {
+			logger.Fatal("OIDC enabled without configuration")
 		}
+	} else {
+		logger.Infow("OIDC disabled")
 	}
 
 	hs := &httpsrv.Server{
@@ -118,7 +118,7 @@ func serve(ctx context.Context) {
 		Debug:         config.AppConfig.Logging.Debug,
 		DB:            db,
 		SecretsKeeper: keeper,
-		AuthConfigs:   authCfgs,
+		AuthConfigs:   config.AppConfig.APIServerJWTAuth,
 	}
 
 	// init event stream - for now, only when nats.url is specified
diff --git a/go.mod b/go.mod
index 93d818f..4818b49 100644
--- a/go.mod
+++ b/go.mod
@@ -36,7 +36,7 @@ require (
 
 require (
 	github.com/volatiletech/sqlboiler v3.7.1+incompatible
-	go.hollow.sh/toolbox v0.6.1
+	go.hollow.sh/toolbox v0.6.3
 	go.infratographer.com/x v0.3.7
 	gocloud.dev v0.33.0
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
diff --git a/go.sum b/go.sum
index 1c049f1..0135bd4 100644
--- a/go.sum
+++ b/go.sum
@@ -679,6 +679,8 @@ go.etcd.io/etcd/client/v2 v2.305.4/go.mod h1:Ud+VUwIi9/uQHOMA+4ekToJ12lTxlv0zB/+
 go.etcd.io/etcd/client/v3 v3.5.4/go.mod h1:ZaRkVgBZC+L+dLCjTcF1hRXpgZXQPOvnA/Ak/gq3kiY=
 go.hollow.sh/toolbox v0.6.1 h1:3E6JofImSCe63XayczbGfDxIXUjmBziMBBmbwook8WA=
 go.hollow.sh/toolbox v0.6.1/go.mod h1:nl+5RDDyYY/+wukOUzHHX2mOyWKRjlTOXUcGxny+tns=
+go.hollow.sh/toolbox v0.6.3 h1:IJOjiGdiwWwXJ2QfOkJuSucSIqrdXJbUBFst3u6T6z4=
+go.hollow.sh/toolbox v0.6.3/go.mod h1:nl+5RDDyYY/+wukOUzHHX2mOyWKRjlTOXUcGxny+tns=
 go.infratographer.com/x v0.3.7 h1:kkykoVtC8XrmvC4oZwHWa/15+dv9RhQHgSm8KoEb/Nc=
 go.infratographer.com/x v0.3.7/go.mod h1:/zbDM9njbWzUDCA9pkbi1z/v4VZjGsVHx+SPycSgIhg=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
diff --git a/internal/config/config.go b/internal/config/config.go
index 62ab52a..d6a3644 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -2,6 +2,7 @@
 package config
 
 import (
+	"go.hollow.sh/toolbox/ginjwt"
 	"go.infratographer.com/x/crdbx"
 	"go.infratographer.com/x/loggingx"
 	"go.infratographer.com/x/otelx"
@@ -12,4 +13,6 @@ var AppConfig struct {
 	CRDB    crdbx.Config
 	Logging loggingx.Config
 	Tracing otelx.Config
+	// APIServerJWTAuth sets the JWT verification configuration for the conditionorc API service.
+	APIServerJWTAuth []ginjwt.AuthConfig `mapstructure:"ginjwt_auth"`
 }