diff --git a/nginx/conf/sites/proxy.conf b/nginx/conf/sites/proxy.conf
index 7825d85..c9310a1 100644
--- a/nginx/conf/sites/proxy.conf
+++ b/nginx/conf/sites/proxy.conf
@@ -24,6 +24,10 @@ server {
     }
 
     location / {
+      if ($http_authorization) {
+        access_by_lua_file lua/bearer_validation.lua;
+      } 
+
       access_by_lua_file lua/auth.lua;
 
       set $reverse_proxy_host $proxy_host;
diff --git a/nginx/lua/bearer_validation.lua b/nginx/lua/bearer_validation.lua
new file mode 100644
index 0000000..2a2d604
--- /dev/null
+++ b/nginx/lua/bearer_validation.lua
@@ -0,0 +1,20 @@
+local opts = {
+    discovery = os.getenv("OID_DISCOVERY"),
+}
+
+-- call bearer_jwt_verify to validate bearer token from openid connect
+local res, err = require("resty.openidc").bearer_jwt_verify(opts)
+
+ngx.log(ngx.INFO, tostring(res))
+ngx.log(ngx.INFO, tostring(err))
+
+
+if err then
+    ngx.status = 401
+    ngx.header.content_type = 'text/html';
+
+    ngx.say("There was an error while logging in: " .. err)
+    ngx.exit(ngx.HTTP_UNAUTHORIZED)
+end
+
+ngx.log(ngx.INFO, "Authentication successful, setting Auth header...")