diff --git a/lib/policy_service_web/plugs/authorize_roles.ex b/lib/policy_service_web/plugs/authorize_roles.ex
index ac1f3cb..2b7621b 100644
--- a/lib/policy_service_web/plugs/authorize_roles.ex
+++ b/lib/policy_service_web/plugs/authorize_roles.ex
@@ -67,8 +67,8 @@ defmodule PolicyServiceWeb.Plugs.AuthorizeRoles do
 
   defp get_roles_map(conn, roles_claim) do
     case conn.private[Oidcc.Plug.IntrospectToken] do
-      %{claims: %{^roles_claim => %{} = roles_map}} ->
-        role = Map.get(roles_map, roles_claim, %{})
+      %{extra: %{^roles_claim => %{} = roles_map}} ->
+        Map.get(roles_map, roles_claim, %{})
         role
 
       _ ->
diff --git a/lib/policy_service_web/router.ex b/lib/policy_service_web/router.ex
index 44cacdb..bc8ae91 100644
--- a/lib/policy_service_web/router.ex
+++ b/lib/policy_service_web/router.ex
@@ -15,7 +15,7 @@ defmodule PolicyServiceWeb.Router do
     plug PolicyServiceWeb.Plugs.RequireOrganizationId
     plug PolicyServiceWeb.Plugs.ExtractOrganizationId
 
-    plug :validate
+    plug :introspect
     plug :authorize_roles
   end
 
@@ -46,17 +46,18 @@ defmodule PolicyServiceWeb.Router do
     get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
   end
 
-  def validate(conn, _opts) do
+  def introspect(conn, _opts) do
     zitadel = Application.get_env(:policy_service, :zitadel)
 
     opts =
-      Oidcc.Plug.ValidateJwtToken.init(
+      Oidcc.Plug.IntrospectToken.init(
         provider: PolicyService.ZitadelProvider,
         client_id: zitadel[:client_id],
-        client_secret: zitadel[:client_secret]
+        client_secret: zitadel[:client_secret],
+        token_introspection_opts: %{client_self_only: false}
       )
 
-    Oidcc.Plug.ValidateJwtToken.call(
+    Oidcc.Plug.IntrospectToken.call(
       conn,
       opts
     )