diff --git a/auth.py b/auth.py
index 112fd9c..a3ff749 100644
--- a/auth.py
+++ b/auth.py
@@ -135,16 +135,27 @@ async def authenticate_user(data_dir: Path, username: str, password: str) -> Opt
     )
 
 
-def create_access_token(username: str) -> Token:
-    """Create a JWT access token."""
+def create_access_token(username: str, l2_server: str = None) -> Token:
+    """Create a JWT access token.
+
+    Args:
+        username: The username
+        l2_server: The L2 server URL (e.g., https://artdag.rose-ash.com)
+                   Required for L1 to verify tokens with the correct L2.
+    """
     expires = datetime.now(timezone.utc) + timedelta(days=ACCESS_TOKEN_EXPIRE_DAYS)
 
     payload = {
         "sub": username,
+        "username": username,  # Also include as username for compatibility
         "exp": expires,
         "iat": datetime.now(timezone.utc)
     }
 
+    # Include l2_server so L1 knows which L2 to verify with
+    if l2_server:
+        payload["l2_server"] = l2_server
+
     token = jwt.encode(payload, SECRET_KEY, algorithm=ALGORITHM)
 
     return Token(
diff --git a/server.py b/server.py
index 9c016e5..5ba9bf1 100644
--- a/server.py
+++ b/server.py
@@ -329,7 +329,7 @@ async def ui_login_submit(request: Request):
     if not user:
         return HTMLResponse('<div class="bg-red-900/50 border border-red-700 text-red-300 px-4 py-3 rounded-lg mb-4">Invalid username or password</div>')
 
-    token = create_access_token(user.username)
+    token = create_access_token(user.username, l2_server=f"https://{DOMAIN}")
 
     response = HTMLResponse(f'''
         <div class="bg-green-900/50 border border-green-700 text-green-300 px-4 py-3 rounded-lg mb-4">Login successful! Redirecting...</div>
@@ -413,7 +413,7 @@ async def ui_register_submit(request: Request):
     except ValueError as e:
         return HTMLResponse(f'<div class="bg-red-900/50 border border-red-700 text-red-300 px-4 py-3 rounded-lg mb-4">{str(e)}</div>')
 
-    token = create_access_token(user.username)
+    token = create_access_token(user.username, l2_server=f"https://{DOMAIN}")
 
     response = HTMLResponse(f'''
         <div class="bg-green-900/50 border border-green-700 text-green-300 px-4 py-3 rounded-lg mb-4">Registration successful! Redirecting...</div>
@@ -1129,7 +1129,7 @@ async def register(req: UserCreate):
     except ValueError as e:
         raise HTTPException(400, str(e))
 
-    return create_access_token(user.username)
+    return create_access_token(user.username, l2_server=f"https://{DOMAIN}")
 
 
 @app.post("/auth/login", response_model=Token)
@@ -1139,7 +1139,7 @@ async def login(req: UserLogin):
     if not user:
         raise HTTPException(401, "Invalid username or password")
 
-    return create_access_token(user.username)
+    return create_access_token(user.username, l2_server=f"https://{DOMAIN}")
 
 
 @app.get("/auth/me")