diff --git a/apps/cloud/src/env-augment.d.ts b/apps/cloud/src/env-augment.d.ts
index 3977d7236..9a0af5c70 100644
--- a/apps/cloud/src/env-augment.d.ts
+++ b/apps/cloud/src/env-augment.d.ts
@@ -25,7 +25,6 @@ declare global {
       EXECUTOR_MCP_DEBUG?: string;
       MCP_AUTHKIT_DOMAIN?: string;
       MCP_RESOURCE_ORIGIN?: string;
-      MCP_STRICT_AUDIENCE?: string;
       NODE_ENV?: string;
 
       // Shared with frontend
diff --git a/apps/cloud/src/mcp.ts b/apps/cloud/src/mcp.ts
index e022bbc3c..5720a6945 100644
--- a/apps/cloud/src/mcp.ts
+++ b/apps/cloud/src/mcp.ts
@@ -17,7 +17,7 @@
 import { env } from "cloudflare:workers";
 import { HttpApp, HttpServerRequest, HttpServerResponse } from "@effect/platform";
 import * as Sentry from "@sentry/cloudflare";
-import { Context, Effect, Either, Layer, Option, Schema } from "effect";
+import { Context, Effect, Layer, Option, Schema } from "effect";
 import { createRemoteJWKSet } from "jose";
 
 import { TelemetryLive } from "./services/telemetry";
@@ -94,27 +94,9 @@ export class McpAuth extends Context.Tag("@executor/cloud/McpAuth")<
 >() {}
 
 const verifyJwt = (token: string) =>
-  Effect.gen(function* () {
-    const strictResult = yield* verifyMcpAccessToken(token, jwks, {
-      issuer: AUTHKIT_DOMAIN,
-      audience: RESOURCE_URL,
-    }).pipe(Effect.either);
-
-    if (Either.isRight(strictResult)) {
-      return strictResult.right;
-    }
-
-    if (env.MCP_STRICT_AUDIENCE === "true") {
-      return yield* Effect.fail(strictResult.left);
-    }
-
-    const verified = yield* verifyMcpAccessToken(token, jwks, {
-      issuer: AUTHKIT_DOMAIN,
-    });
-    yield* Effect.annotateCurrentSpan({
-      "mcp.auth.audience_fallback": true,
-    });
-    return verified;
+  verifyMcpAccessToken(token, jwks, {
+    issuer: AUTHKIT_DOMAIN,
+    audience: RESOURCE_URL,
   });
 
 export const McpAuthLive = Layer.succeed(McpAuth, {