diff --git a/action.yml b/action.yml
index 72bcf2b..ea65bfc 100644
--- a/action.yml
+++ b/action.yml
@@ -13,6 +13,9 @@ inputs:
   oauth-secret:
     description: "Tailscale OAuth Secret"
     required: false
+  audience:
+    description: "Audience for JWT"
+    required: false
   policy-file:
     description: "Path to policy file"
     required: true
@@ -24,29 +27,39 @@ runs:
   using: "composite"
   steps:
     - name: Check Auth Info Empty
-      if: ${{ inputs['api-key'] == '' && inputs['oauth-secret'] == '' }}
+      if: ${{ inputs['api-key'] == '' && inputs['oauth-secret'] == '' && inputs['oauth-client-id'] == ''}}
       shell: bash
       run: |
-        echo "::error title=⛔ error hint::API Key or OAuth secret must be specified. Maybe you need to populate it in the Secrets for your workflow, see more in https://docs.github.com/en/actions/security-guides/encrypted-secrets and https://tailscale.com/s/oauth-clients"
+        echo "::error title=⛔ error hint::API Key, OAuth secret, or OAuth client ID and audience must be specified. Maybe you need to populate it in the Secrets for your workflow, see more in https://docs.github.com/en/actions/security-guides/encrypted-secrets and https://tailscale.com/s/trust-credentials
         exit 1
     - name: Check Conflicting Auth Info
-      if: ${{ inputs['api-key'] != '' && inputs['oauth-secret'] != '' }}
+      if: ${{ (inputs['api-key'] != '' && (inputs['oauth-secret'] != '' || inputs['audience'] != '')) || (inputs['oauth-secret'] != '' && (inputs['api-key'] != '' || inputs['audience'] != '')) || (inputs['audience'] != '' && (inputs['api-key'] != '' || inputs['oauth-secret'] != '')) }}
       shell: bash
       run: |
-        echo "::error title=⛔ error hint::only one of API Key or OAuth secret should be specified.
+        echo "::error title=⛔ error hint::only one of API Key, OAuth secret, or OAuth client ID and audience should be specified."
         exit 1
     - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
       with:
         go-version: 1.25.5
         cache: false
-
+    - name: Fetch ID token
+      if: ${{ inputs['oauth-client-id'] != '' && inputs['audience'] != '' }}
+      shell: bash
+      id: fetch-id-token
+      run: |
+        ID_TOKEN=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=${{ inputs.audience }}" | jq -r '.value')
+        echo "::add-mask::ID_TOKEN"
+        echo "id_token=$ID_TOKEN" >> $GITHUB_OUTPUT
     - name: Gitops pusher
       shell: bash
       env:
-        # gitops-pusher will use OAUTH_ID and OAUTH_SECRET if non-empty,
+        # gitops-pusher will use OAUTH_ID and OAUTH_SECRET or
+        # OAUTH_ID and ID_TOKEN if non-empty,
         # otherwise it will use API_KEY.
         TS_OAUTH_ID: "${{ inputs.oauth-client-id }}"
         TS_OAUTH_SECRET: "${{ inputs.oauth-secret }}"
+        TS_ID_TOKEN: "${{ steps.fetch-id-token.outputs.id_token }}"
         TS_API_KEY: "${{ inputs.api-key }}"
         TS_TAILNET: "${{ inputs.tailnet }}"
-      run: go run tailscale.com/cmd/gitops-pusher@2078eb56f3ca310821aae3fa140aa3b0d3bda2dc "--policy-file=${{ inputs.policy-file }}" "${{ inputs.action }}"
+      run: go run tailscale.com/cmd/gitops-pusher@4c37141ab780dbf6c037bd64fe48ab330441ad06 "--policy-file=${{ inputs.policy-file }}" "${{ inputs.action }}"
+