diff --git a/lib/helpers/client.js b/lib/helpers/client.js
index 529f75d0..62bf9be6 100644
--- a/lib/helpers/client.js
+++ b/lib/helpers/client.js
@@ -90,19 +90,8 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
     case 'private_key_jwt':
     case 'client_secret_jwt': {
       const timestamp = now();
-
-      const mTLS = endpoint === 'token' && this.tls_client_certificate_bound_access_tokens;
       const audience = [
-        ...new Set(
-          [
-            this.issuer.issuer,
-            this.issuer.token_endpoint,
-            this.issuer[`${endpoint}_endpoint`],
-            mTLS && this.issuer.mtls_endpoint_aliases
-              ? this.issuer.mtls_endpoint_aliases.token_endpoint
-              : undefined,
-          ].filter(Boolean),
-        ),
+        ...new Set([this.issuer.issuer, this.issuer.token_endpoint].filter(Boolean)),
       ];
 
       const assertion = await clientAssertion.call(this, endpoint, {
diff --git a/test/client/mtls.test.js b/test/client/mtls.test.js
index 92075bda..4177daf9 100644
--- a/test/client/mtls.test.js
+++ b/test/client/mtls.test.js
@@ -102,33 +102,32 @@ describe('mutual-TLS', () => {
       token_endpoint_auth_signing_alg: 'HS256',
       tls_client_certificate_bound_access_tokens: true,
     });
+    this.jwtAuthClientNoSenderConstraining = new issuer.Client({
+      client_id: 'client',
+      client_secret: 'secret',
+      token_endpoint_auth_method: 'client_secret_jwt',
+      token_endpoint_auth_signing_alg: 'HS256',
+      tls_client_certificate_bound_access_tokens: false,
+    });
     this.client[custom.http_options] = () => ({ key, cert });
   });
 
-  it('uses the mtls endpoint alias for token endpoint when using jwt auth and tls certs', async function () {
+  it('uses the issuer identifier and token endpoint as private_key_jwt audiences', async function () {
     let {
       form: { client_assertion: jwt },
     } = await clientHelpers.authFor.call(this.jwtAuthClient, 'token');
     let { aud } = jose2.JWT.decode(jwt);
-    expect(aud).to.include('https://mtls.op.example.com/token');
-    expect(aud).to.include('https://op.example.com/token');
-    expect(aud).to.include('https://op.example.com');
+    expect(aud).to.deep.equal(['https://op.example.com', 'https://op.example.com/token']);
     ({
       form: { client_assertion: jwt },
     } = await clientHelpers.authFor.call(this.jwtAuthClient, 'introspection'));
     ({ aud } = jose2.JWT.decode(jwt));
-    expect(aud).not.to.include('https://mtls.op.example.com/token/introspect');
-    expect(aud).to.include('https://op.example.com/token/introspect');
-    expect(aud).to.include('https://op.example.com/token');
-    expect(aud).to.include('https://op.example.com');
+    expect(aud).to.deep.equal(['https://op.example.com', 'https://op.example.com/token']);
     ({
       form: { client_assertion: jwt },
     } = await clientHelpers.authFor.call(this.jwtAuthClient, 'revocation'));
     ({ aud } = jose2.JWT.decode(jwt));
-    expect(aud).not.to.include('https://mtls.op.example.com/token/revoke');
-    expect(aud).to.include('https://op.example.com/token/revoke');
-    expect(aud).to.include('https://op.example.com/token');
-    expect(aud).to.include('https://op.example.com');
+    expect(aud).to.deep.equal(['https://op.example.com', 'https://op.example.com/token']);
   });
 
   it('requires mTLS for userinfo when tls_client_certificate_bound_access_tokens is true', async function () {