diff --git a/config/default.yml b/config/default.yml
index 0f7737f..704ca7a 100644
--- a/config/default.yml
+++ b/config/default.yml
@@ -35,6 +35,7 @@ auth_keys:
 hid_key: q7FltzZWfvGIrdEdHYY # 一旦设定，尽量不要改变，否则派生出去的 HID 无法识别
 open_trust:
   otid: ""
+  legacy_otid: ""
   private_keys: []
   domain_public_keys:
   - '{"kty":"RSA","alg":"PS256","e":"AQAB","kid":"4PblNZYSnOsy8sD6SHZPEl6DCqEerpgfi_sPxthHpWM","n":"0FjUWU9H6P9JTe3ZFOGxoVlYKFlzr98N44vIvjvvLVM1FU3MECJeTpztgnONZKelBO2YSY29v1mTl_PLWxVsn-gwkRczp1F5ogvt64dkPpaSdzpOLS1aKhqJSpVJp-D0lJWJ4ksEvyvM1hMNe9F3gbI6yyLigPhfF6qPdS2PxbFdilX4TmvrmViFnkVT31L4aXVuaEg9juLfxbIs-lnbvE9_L0a-zm-PfN-sLP3_SrPtUBLRH-cVgiMc43eXqU1H5AqJ0XzPHdrwzTRFiZuLsyaI2zj67D2x9Wwn8ze2OeP_B6th97XQfS_6zJ5BDs_VPoQi19F0Ts3dWnlXi2CrhQ"}'
diff --git a/src/conf/config.go b/src/conf/config.go
index 0e82c4b..14924cf 100644
--- a/src/conf/config.go
+++ b/src/conf/config.go
@@ -37,6 +37,7 @@ type SQL struct {
 // OpenTrust ...
 type OpenTrust struct {
 	OTID             otgo.OTID `json:"otid" yaml:"otid"`
+	LegacyOTID       otgo.OTID `json:"legacy_otid" yaml:"legacy_otid"`
 	PrivateKeys      []string  `json:"private_keys" yaml:"private_keys"`
 	DomainPublicKeys []string  `json:"domain_public_keys" yaml:"domain_public_keys"`
 }
diff --git a/src/middleware/auth.go b/src/middleware/auth.go
index 3306aa2..6c65976 100644
--- a/src/middleware/auth.go
+++ b/src/middleware/auth.go
@@ -27,6 +27,13 @@ func init() {
 			logging.Panicf("Parse Open Trust config failed: %s", err)
 		}
 	}
+	if err := otConf.LegacyOTID.Validate(); err == nil {
+		otLegacyVerifier, err = otgo.NewVerifier(conf.Config.GlobalCtx, otConf.LegacyOTID, false,
+			otConf.DomainPublicKeys...)
+		if err != nil {
+			logging.Panicf("Parse Open Trust config failed: %s", err)
+		}
+	}
 
 	if otVerifier == nil && Auther == nil {
 		logging.Warningf("`auth_keys` is empty, Auth middleware will not be executed.")
@@ -34,6 +41,7 @@ func init() {
 }
 
 var otVerifier *otgo.Verifier
+var otLegacyVerifier *otgo.Verifier
 
 // Auther 是基于 JWT 的身份验证，当 config.auth_keys 配置了才会启用
 var Auther *auth.Auth
@@ -47,6 +55,9 @@ func Auth(ctx *gear.Context) error {
 		}
 
 		vid, err := otVerifier.ParseOTVID(token)
+		if err != nil && otLegacyVerifier != nil {
+			vid, err = otLegacyVerifier.ParseOTVID(token)
+		}
 		if err != nil {
 			if Auther != nil { // 兼容老的 jwt 验证
 				return oldAuth(ctx)
@@ -54,7 +65,7 @@ func Auth(ctx *gear.Context) error {
 			return gear.ErrUnauthorized.WithMsg("authorization token verification failed")
 		}
 
-		logging.AccessLogger.SetTo(ctx, "otSub", vid.ID.String())
+		logging.AccessLogger.SetTo(ctx, "subject", vid.ID.String())
 		return nil
 	}
 	return oldAuth(ctx)