diff --git a/examples/README-OIDC-WORKLOAD-IDENTITY.md b/examples/README-OIDC-WORKLOAD-IDENTITY.md
index e7557cb9..f7bf1a6a 100644
--- a/examples/README-OIDC-WORKLOAD-IDENTITY.md
+++ b/examples/README-OIDC-WORKLOAD-IDENTITY.md
@@ -134,7 +134,7 @@ GitHub Actions can use OIDC tokens to authenticate:
 ```yaml
 - name: Login to Zot
   run: |
-    TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+    TOKEN=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
       "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=zot" | jq -r .value)
     echo $TOKEN | docker login -u oauth --password-stdin zot.example.com
 ```
diff --git a/pkg/api/authn.go b/pkg/api/authn.go
index a5cfd7f8..e3a639d1 100644
--- a/pkg/api/authn.go
+++ b/pkg/api/authn.go
@@ -624,7 +624,14 @@ func bearerAuthHandler(ctlr *Controller) mux.MiddlewareFunc {
 			}
 
 			// No authentication succeeded
-			ctlr.Log.Error().Msg("bearer authentication failed")
+			if isAuthorizationHeaderEmpty(request) {
+				// No bearer token provided and no authentication method configured
+				ctlr.Log.Debug().Msg("no bearer token provided")
+			} else {
+				// Bearer token provided but authentication failed
+				ctlr.Log.Error().Msg("bearer authentication failed")
+			}
+
 			response.Header().Set("Content-Type", "application/json")
 			zcommon.WriteJSON(response, http.StatusUnauthorized, apiErr.NewError(apiErr.UNAUTHORIZED))
 		})
diff --git a/pkg/api/bearer_oidc.go b/pkg/api/bearer_oidc.go
index 44e4069f..500ab8a5 100644
--- a/pkg/api/bearer_oidc.go
+++ b/pkg/api/bearer_oidc.go
@@ -89,7 +89,7 @@ func (a *OIDCBearerAuthorizer) Authenticate(ctx context.Context, header string)
 		return "", nil, fmt.Errorf("%w: %w", zerr.ErrInvalidBearerToken, err)
 	}
 
-	// Verify audience manually (the verifier checks against the first audience only, but we need to check all)
+	// Additional audience verification to support multiple audiences
 	if !a.verifyAudience(idToken) {
 		a.log.Debug().Str("token_aud", fmt.Sprintf("%v", idToken.Audience)).
 			Strs("accepted_aud", a.audiences).
diff --git a/pkg/api/config/config.go b/pkg/api/config/config.go
index 75fc33cf..f4957704 100644
--- a/pkg/api/config/config.go
+++ b/pkg/api/config/config.go
@@ -248,12 +248,12 @@ type OpenIDProviderConfig struct {
 	ClaimMapping    *ClaimMapping `mapstructure:",omitempty"`
 }
 
-// ClaimMapping specifies how OpenID claims are mapped to application fields.
+// ClaimMapping specifies how OIDC claims are mapped to application fields.
 // It allows customization of which claim is used as the username when authenticating users.
 type ClaimMapping struct {
-	// Username specifies which OpenID claim to use as the username for the authenticated user.
+	// ClaimMapping specifies which OIDC claim to use as the username for the authenticated user.
 	// Acceptable values include "preferred_username", "email", "sub", "name", or any custom claim name.
-	// If not configured, the default is "email".
+	// If not configured, the default is "sub".
 	Username string `mapstructure:"username,omitempty"`
 }