diff --git a/api/views.py b/api/views.py
index 6beb607..4a54d4c 100644
--- a/api/views.py
+++ b/api/views.py
@@ -28,9 +28,6 @@ class APIOverview(views.APIView):
 
     def get(self, request, format=None):
         data = {
-            "api-token": drf_reverse(
-                "token_obtain_pair", request=request, format=format
-            ),
             "userprofile": drf_reverse(
                 "api:userprofile-list", request=request, format=format
             ),
diff --git a/brostar/settings.py b/brostar/settings.py
index 47091b0..e7026e0 100644
--- a/brostar/settings.py
+++ b/brostar/settings.py
@@ -1,8 +1,10 @@
 import os
-from datetime import timedelta
 from pathlib import Path
 
 FIELD_ENCRYPTION_KEY = os.getenv("FIELD_ENCRYPTION_KEY")
+NENS_AUTH_ISSUER = os.getenv("NENS_AUTH_ISSUER")
+NENS_AUTH_CLIENT_ID = os.getenv("NENS_AUTH_CLIENT_ID")
+NENS_AUTH_CLIENT_SECRET = os.getenv("NENS_AUTH_CLIENT_SECRET")
 # Environment variables can get a default value from docker-compose itself *or* from a
 # `.env` file, as docker-compose automatically reads that (if the environment variable
 # itself is mentioned in the compose file).
@@ -26,6 +28,10 @@
 
 ALLOWED_HOSTS = []
 
+CSRF_TRUSTED_ORIGINS = [
+    "http://localhost:4200",
+]
+
 
 # Application definition
 
@@ -33,6 +39,7 @@
     "api.apps.ApiConfig",
     "gmn.apps.GmnConfig",
     "gmw.apps.GmwConfig",
+    "nens_auth_client",
     "django.contrib.admin",
     "django.contrib.auth",
     "django.contrib.contenttypes",
@@ -43,7 +50,6 @@
     "drf_yasg",
     "corsheaders",
     "django_filters",
-    "rest_framework_simplejwt",
     "encrypted_model_fields",
 ]
 
@@ -58,6 +64,15 @@
     "corsheaders.middleware.CorsMiddleware",
 ]
 
+
+AUTHENTICATION_BACKENDS = [
+    "nens_auth_client.backends.RemoteUserBackend",
+    "nens_auth_client.backends.AcceptNensBackend",
+    "nens_auth_client.backends.TrustedProviderMigrationBackend",
+    "django.contrib.auth.backends.ModelBackend",
+]
+
+
 ROOT_URLCONF = "brostar.urls"
 
 TEMPLATES = [
@@ -161,9 +176,9 @@
     "PAGE_SIZE": 1000,
     "DEFAULT_FILTER_BACKENDS": ["django_filters.rest_framework.DjangoFilterBackend"],
     "DEFAULT_AUTHENTICATION_CLASSES": (
+        "nens_auth_client.rest_framework.OAuth2TokenAuthentication",
         "rest_framework.authentication.BasicAuthentication",
         "rest_framework.authentication.SessionAuthentication",
-        "rest_framework_simplejwt.authentication.JWTAuthentication",
     ),
 }
 
@@ -177,7 +192,3 @@
 BRO_UITGIFTE_SERVICE_URL = "https://publiek.broservices.nl"
 BRONHOUDERSPORTAAL_URL = "https://acc.bronhouderportaal-bro.nl"
 # BRONHOUDERSPORTAAL_URL = "https://www.bronhouderportaal-bro.nl"
-
-SIMPLE_JWT = {
-    "ACCESS_TOKEN_LIFETIME": timedelta(hours=5),
-}
diff --git a/brostar/urls.py b/brostar/urls.py
index 2401390..9858ff6 100644
--- a/brostar/urls.py
+++ b/brostar/urls.py
@@ -19,13 +19,8 @@
 from django.urls import include, path
 from drf_yasg import openapi
 from drf_yasg.views import get_schema_view
+from nens_auth_client.urls import override_admin_auth, override_rest_framework_auth
 from rest_framework import permissions
-from rest_framework_simplejwt.views import (
-    TokenObtainPairView,
-    TokenRefreshView,
-)
-
-from api import views
 
 schema_view = get_schema_view(
     openapi.Info(
@@ -41,7 +36,10 @@
 )
 
 urlpatterns = [
+    path("auth/", include("nens_auth_client.urls", namespace="auth")),
+    *override_admin_auth(),
     path("admin/", admin.site.urls),
+    *override_rest_framework_auth(),
     path(
         "swagger/",
         schema_view.with_ui("swagger", cache_timeout=0),
@@ -49,9 +47,6 @@
     ),
     path("redoc/", schema_view.with_ui("redoc", cache_timeout=0), name="schema-redoc"),
     path("api/", include(("api.urls", "api"), namespace="api")),
-    path("api/token/", TokenObtainPairView.as_view(), name="token_obtain_pair"),
-    path("api/token/refresh/", TokenRefreshView.as_view(), name="token_refresh"),
-    path("api-auth/logout/", views.LogoutView.as_view(), name="logout"),
 ]
 
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 95f1399..e6c205d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,6 +21,9 @@ services:
     environment:
       - DJANGO_SETTINGS_MODULE=brostar.settings
       - FIELD_ENCRYPTION_KEY="DUMMY-NEEDS-PROD-SETTING-Xgb1GczqZe909UMNc4=
+      - NENS_AUTH_ISSUER
+      - NENS_AUTH_CLIENT_ID
+      - NENS_AUTH_CLIENT_SECRET
     build: .
     command: celery -A brostar worker --loglevel=INFO
     volumes:
@@ -48,9 +51,9 @@ services:
       - DEBUG
       - FIELD_ENCRYPTION_KEY="DUMMY-NEEDS-PROD-SETTING-Xgb1GczqZe909UMNc4=
       # - SENTRY_DSN
-      # - NENS_AUTH_ISSUER
-      # - NENS_AUTH_CLIENT_ID
-      # - NENS_AUTH_CLIENT_SECRET
+      - NENS_AUTH_ISSUER
+      - NENS_AUTH_CLIENT_ID
+      - NENS_AUTH_CLIENT_SECRET
     depends_on:
       - db
       - redis
diff --git a/requirements.txt b/requirements.txt
index 99be17d..357a04b 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,5 @@
 -e .[test]
+--extra-index-url https://packages.lizard.net
 
 # TODO: dependencies
 django == 5.0.1
@@ -17,7 +18,7 @@ xmltodict
 python-dotenv
 django-encrypted-model-fields
 django-filter
-djangorestframework-simplejwt
+nens-auth-client
 
 # development tools
 ruff