diff --git a/src/idpyoidc/server/client_authn.py b/src/idpyoidc/server/client_authn.py
index 60370b0e..06321c0a 100755
--- a/src/idpyoidc/server/client_authn.py
+++ b/src/idpyoidc/server/client_authn.py
@@ -512,7 +512,10 @@ def verify_client(
         if _get_client_info:
             _cinfo = _get_client_info(client_id, _context)
         else:
-            _cinfo = _context.cdb[client_id]
+            try:
+                _cinfo = _context.cdb[client_id]
+            except KeyError:
+                raise UnknownClient("Unknown Client ID")
 
         if not _cinfo:
             raise UnknownClient("Unknown Client ID")
diff --git a/src/idpyoidc/server/oauth2/add_on/pkce.py b/src/idpyoidc/server/oauth2/add_on/pkce.py
index ce44aaed..0b1e697a 100644
--- a/src/idpyoidc/server/oauth2/add_on/pkce.py
+++ b/src/idpyoidc/server/oauth2/add_on/pkce.py
@@ -8,6 +8,7 @@
 from idpyoidc.message.oauth2 import AuthorizationErrorResponse
 from idpyoidc.message.oauth2 import RefreshAccessTokenRequest
 from idpyoidc.message.oauth2 import TokenExchangeRequest
+from idpyoidc.message.oauth2 import CCAccessTokenRequest
 from idpyoidc.message.oidc import TokenErrorResponse
 from idpyoidc.server.endpoint import Endpoint
 
@@ -93,7 +94,7 @@ def post_token_parse(request, client_id, context, **kwargs):
     """
     if isinstance(
         request,
-        (AuthorizationErrorResponse, RefreshAccessTokenRequest, TokenExchangeRequest),
+        (AuthorizationErrorResponse, RefreshAccessTokenRequest, TokenExchangeRequest, CCAccessTokenRequest),
     ):
         return request
 
diff --git a/src/idpyoidc/server/oauth2/introspection.py b/src/idpyoidc/server/oauth2/introspection.py
index 9684fd2d..5937d0d5 100644
--- a/src/idpyoidc/server/oauth2/introspection.py
+++ b/src/idpyoidc/server/oauth2/introspection.py
@@ -32,6 +32,7 @@ class Introspection(Endpoint):
     def __init__(self, upstream_get, **kwargs):
         Endpoint.__init__(self, upstream_get, **kwargs)
         self.offset = kwargs.get("offset", 0)
+        self.enforce_aud_restriction = kwargs.get("enforce_audience_restriction", True)
 
     def _introspect(self, token, client_id, grant):
         # Make sure that the token is an access_token or a refresh_token
@@ -114,8 +115,17 @@ def process_request(self, request=None, release: Optional[list] = None, **kwargs
         if not aud:
             aud = grant.resources
 
-        if request["client_id"] not in aud:
-            return {"response_args": _resp}
+        client_id = request["client_id"]
+        try:
+            _cinfo = _context.cdb[client_id]
+            enforce_aud_restriction = _cinfo.get(
+                "enforce_audience_restriction", self.enforce_aud_restriction
+            )
+        except:
+            enforce_aud_restriction = self.enforce_aud_restriction
+        if enforce_aud_restriction:
+            if request["client_id"] not in aud:
+                return {"response_args": _resp}
 
         _info = self._introspect(_token, _session_info["client_id"], _session_info["grant"])
         if _info is None:
diff --git a/tests/test_server_31_oauth2_introspection.py b/tests/test_server_31_oauth2_introspection.py
index bc39af7e..5e28c632 100644
--- a/tests/test_server_31_oauth2_introspection.py
+++ b/tests/test_server_31_oauth2_introspection.py
@@ -132,6 +132,7 @@ def create_endpoint(self, jwt_token):
                     "kwargs": {
                         "client_authn_method": ["client_secret_post"],
                         "enable_claims_per_client": False,
+                        "enforce_audience_restriction": True,
                     },
                 },
                 "token": {