diff --git a/core/common/token-core/src/main/java/org/eclipse/edc/token/TokenValidationServiceImpl.java b/core/common/token-core/src/main/java/org/eclipse/edc/token/TokenValidationServiceImpl.java
index ec26f823e81..703283410aa 100644
--- a/core/common/token-core/src/main/java/org/eclipse/edc/token/TokenValidationServiceImpl.java
+++ b/core/common/token-core/src/main/java/org/eclipse/edc/token/TokenValidationServiceImpl.java
@@ -44,7 +44,7 @@ public Result<ClaimToken> validate(TokenRepresentation tokenRepresentation, Publ
             var publicKeyResolutionResult = publicKeyResolver.resolveKey(publicKeyId);
 
             if (publicKeyResolutionResult.failed()) {
-                return publicKeyResolutionResult.mapTo();
+                return publicKeyResolutionResult.mapFailure();
             }
 
             var verifierCreationResult = CryptoConverter.createVerifierFor(publicKeyResolutionResult.getContent());
diff --git a/core/common/token-core/src/main/java/org/eclipse/edc/token/rules/ExpirationIssuedAtValidationRule.java b/core/common/token-core/src/main/java/org/eclipse/edc/token/rules/ExpirationIssuedAtValidationRule.java
index b38e142b769..06128ba5694 100644
--- a/core/common/token-core/src/main/java/org/eclipse/edc/token/rules/ExpirationIssuedAtValidationRule.java
+++ b/core/common/token-core/src/main/java/org/eclipse/edc/token/rules/ExpirationIssuedAtValidationRule.java
@@ -34,10 +34,22 @@ public class ExpirationIssuedAtValidationRule implements TokenValidationRule {
 
     private final Clock clock;
     private final int issuedAtLeeway;
+    private final boolean allowNull;
 
+    /**
+     * Instantiates the rule
+     *
+     * @deprecated Please use {@link ExpirationIssuedAtValidationRule#ExpirationIssuedAtValidationRule(Clock, int, boolean)} instead
+     */
+    @Deprecated(since = "0.7.0")
     public ExpirationIssuedAtValidationRule(Clock clock, int issuedAtLeeway) {
+        this(clock, issuedAtLeeway, false);
+    }
+
+    public ExpirationIssuedAtValidationRule(Clock clock, int issuedAtLeeway, boolean allowNull) {
         this.clock = clock;
         this.issuedAtLeeway = issuedAtLeeway;
+        this.allowNull = allowNull;
     }
 
     @Override
@@ -45,7 +57,9 @@ public Result<Void> checkRule(@NotNull ClaimToken toVerify, @Nullable Map<String
         var now = clock.instant();
         var expires = toVerify.getInstantClaim(EXPIRATION_TIME);
         if (expires == null) {
-            return Result.failure("Required expiration time (exp) claim is missing in token");
+            if (!allowNull) {
+                return Result.failure("Required expiration time (exp) claim is missing in token");
+            }
         } else if (now.isAfter(expires)) {
             return Result.failure("Token has expired (exp)");
         }
diff --git a/core/common/token-core/src/main/java/org/eclipse/edc/token/rules/NotBeforeValidationRule.java b/core/common/token-core/src/main/java/org/eclipse/edc/token/rules/NotBeforeValidationRule.java
index 0b6459bb4ea..0221f7f65a4 100644
--- a/core/common/token-core/src/main/java/org/eclipse/edc/token/rules/NotBeforeValidationRule.java
+++ b/core/common/token-core/src/main/java/org/eclipse/edc/token/rules/NotBeforeValidationRule.java
@@ -32,10 +32,22 @@
 public class NotBeforeValidationRule implements TokenValidationRule {
     private final Clock clock;
     private final int notBeforeLeeway;
+    private final boolean allowNull;
 
+    /**
+     * Instantiates the rule
+     *
+     * @deprecated Please use {@link NotBeforeValidationRule#NotBeforeValidationRule(Clock, int, boolean)} instead.
+     */
+    @Deprecated(since = "0.7.0")
     public NotBeforeValidationRule(Clock clock, int notBeforeLeeway) {
+        this(clock, notBeforeLeeway, false);
+    }
+
+    public NotBeforeValidationRule(Clock clock, int notBeforeLeeway, boolean allowNull) {
         this.clock = clock;
         this.notBeforeLeeway = notBeforeLeeway;
+        this.allowNull = allowNull;
     }
 
     @Override
@@ -45,7 +57,9 @@ public Result<Void> checkRule(@NotNull ClaimToken toVerify, @Nullable Map<String
         var notBefore = toVerify.getInstantClaim(NOT_BEFORE);
 
         if (notBefore == null) {
-            return Result.failure("Required not before (nbf) claim is missing in token");
+            if (!allowNull) {
+                return Result.failure("Required not before (nbf) claim is missing in token");
+            }
         } else if (leewayNow.isBefore(notBefore)) {
             return Result.failure("Current date/time with leeway before the not before (nbf) claim in token");
         }
diff --git a/core/common/token-core/src/test/java/org/eclipse/edc/jwt/rules/ExpirationIssuedAtValidationRuleTest.java b/core/common/token-core/src/test/java/org/eclipse/edc/jwt/rules/ExpirationIssuedAtValidationRuleTest.java
index 822f172724e..afde4e4ef2c 100644
--- a/core/common/token-core/src/test/java/org/eclipse/edc/jwt/rules/ExpirationIssuedAtValidationRuleTest.java
+++ b/core/common/token-core/src/test/java/org/eclipse/edc/jwt/rules/ExpirationIssuedAtValidationRuleTest.java
@@ -61,10 +61,21 @@ void validationKoBecauseExpirationTimeNotRespected() {
     }
 
     @Test
-    void validationKoBecauseExpirationTimeNotProvided() {
+    void validationKoBecauseExpirationTimeNotProvided_allowsNull() {
+        var r = new ExpirationIssuedAtValidationRule(clock, 0, true);
         var token = ClaimToken.Builder.newInstance().build();
 
-        var result = rule.checkRule(token, emptyMap());
+        var result = r.checkRule(token, emptyMap());
+
+        assertThat(result.succeeded()).isTrue();
+    }
+
+    @Test
+    void validationKoBecauseExpirationTimeNotProvided_doesNotAllowNull() {
+        var r = new ExpirationIssuedAtValidationRule(clock, 0, false);
+        var token = ClaimToken.Builder.newInstance().build();
+
+        var result = r.checkRule(token, emptyMap());
 
         assertThat(result.succeeded()).isFalse();
         assertThat(result.getFailureMessages()).hasSize(1)
diff --git a/core/common/token-core/src/test/java/org/eclipse/edc/jwt/rules/NotBeforeValidationRuleTest.java b/core/common/token-core/src/test/java/org/eclipse/edc/jwt/rules/NotBeforeValidationRuleTest.java
index 97cb569b0a1..8b2437810de 100644
--- a/core/common/token-core/src/test/java/org/eclipse/edc/jwt/rules/NotBeforeValidationRuleTest.java
+++ b/core/common/token-core/src/test/java/org/eclipse/edc/jwt/rules/NotBeforeValidationRuleTest.java
@@ -61,14 +61,25 @@ void validationKoBecauseNotBeforeTimeNotRespected() {
     }
 
     @Test
-    void validationKoBecauseNotBeforeTimeNotProvided() {
+    void validationKoBecauseNotBeforeTimeNotProvided_doesNotAllowNull() {
+        var r = new NotBeforeValidationRule(clock, notBeforeLeeway, false);
         var token = ClaimToken.Builder.newInstance().build();
 
-        var result = rule.checkRule(token, emptyMap());
+        var result = r.checkRule(token, emptyMap());
 
         assertThat(result.succeeded()).isFalse();
         assertThat(result.getFailureMessages()).hasSize(1)
                 .contains("Required not before (nbf) claim is missing in token");
     }
 
+    @Test
+    void validationKoBecauseNotBeforeTimeNotProvided_allowsNull() {
+        var r = new NotBeforeValidationRule(clock, notBeforeLeeway, true);
+        var token = ClaimToken.Builder.newInstance().build();
+
+        var result = r.checkRule(token, emptyMap());
+
+        assertThat(result.succeeded()).isTrue();
+    }
+
 }
\ No newline at end of file
diff --git a/extensions/common/api/api-core/src/main/java/org/eclipse/edc/api/auth/ApiAuthenticationRegistryImpl.java b/extensions/common/api/api-core/src/main/java/org/eclipse/edc/api/auth/ApiAuthenticationRegistryImpl.java
index 7305f5cc98c..8176edc9074 100644
--- a/extensions/common/api/api-core/src/main/java/org/eclipse/edc/api/auth/ApiAuthenticationRegistryImpl.java
+++ b/extensions/common/api/api-core/src/main/java/org/eclipse/edc/api/auth/ApiAuthenticationRegistryImpl.java
@@ -38,4 +38,9 @@ public void register(String context, AuthenticationService service) {
     public @NotNull AuthenticationService resolve(String context) {
         return services.getOrDefault(context, ALL_PASS);
     }
+
+    @Override
+    public boolean hasService(String context) {
+        return services.containsKey(context);
+    }
 }
diff --git a/extensions/common/api/api-core/src/test/java/org/eclipse/edc/api/auth/ApiAuthenticationRegistryImplTest.java b/extensions/common/api/api-core/src/test/java/org/eclipse/edc/api/auth/ApiAuthenticationRegistryImplTest.java
index 24cd9d6199f..826c18dcd87 100644
--- a/extensions/common/api/api-core/src/test/java/org/eclipse/edc/api/auth/ApiAuthenticationRegistryImplTest.java
+++ b/extensions/common/api/api-core/src/test/java/org/eclipse/edc/api/auth/ApiAuthenticationRegistryImplTest.java
@@ -40,4 +40,11 @@ void shouldReturnAllPass_whenNoServiceRegistered() {
 
         assertThat(service).isInstanceOf(AllPassAuthenticationService.class);
     }
+
+    @Test
+    void hasService() {
+        assertThat(registry.hasService("context")).isFalse();
+        registry.register("context", mock(AuthenticationService.class));
+        assertThat(registry.hasService("context")).isTrue();
+    }
 }
diff --git a/extensions/common/auth/auth-delegated/build.gradle.kts b/extensions/common/auth/auth-delegated/build.gradle.kts
new file mode 100644
index 00000000000..7742e7ce59f
--- /dev/null
+++ b/extensions/common/auth/auth-delegated/build.gradle.kts
@@ -0,0 +1,33 @@
+/*
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+plugins {
+    `java-library`
+}
+
+dependencies {
+    api(project(":spi:common:auth-spi"))
+    api(project(":spi:common:token-spi"))
+    implementation(project(":core:common:token-core")) // for the validation rules
+    implementation(project(":core:common:lib:crypto-common-lib"))
+    implementation(libs.jakarta.rsApi)
+    implementation(libs.nimbus.jwt)
+
+    testImplementation(project(":core:common:junit"))
+    testImplementation(project(":core:common:lib:keys-lib"))
+    testImplementation(libs.mockserver.netty)
+    testImplementation(libs.awaitility)
+}
+
+
diff --git a/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtension.java b/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtension.java
new file mode 100644
index 00000000000..70066599a21
--- /dev/null
+++ b/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtension.java
@@ -0,0 +1,85 @@
+/*
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.api.auth.delegated;
+
+import org.eclipse.edc.api.auth.spi.registry.ApiAuthenticationRegistry;
+import org.eclipse.edc.keys.spi.KeyParserRegistry;
+import org.eclipse.edc.runtime.metamodel.annotation.Extension;
+import org.eclipse.edc.runtime.metamodel.annotation.Inject;
+import org.eclipse.edc.runtime.metamodel.annotation.Setting;
+import org.eclipse.edc.spi.system.ServiceExtension;
+import org.eclipse.edc.spi.system.ServiceExtensionContext;
+import org.eclipse.edc.token.rules.ExpirationIssuedAtValidationRule;
+import org.eclipse.edc.token.rules.NotBeforeValidationRule;
+import org.eclipse.edc.token.spi.TokenValidationRulesRegistry;
+import org.eclipse.edc.token.spi.TokenValidationService;
+
+import java.time.Clock;
+
+import static com.nimbusds.jose.jwk.source.JWKSourceBuilder.DEFAULT_CACHE_TIME_TO_LIVE;
+import static org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationService.MANAGEMENT_API_CONTEXT;
+
+/**
+ * Extension that registers an AuthenticationService that delegates authentication and authorization to a third-party IdP
+ */
+@Extension(value = DelegatedAuthenticationExtension.NAME)
+public class DelegatedAuthenticationExtension implements ServiceExtension {
+
+    public static final int DEFAULT_VALIDATION_TOLERANCE = 5_000;
+    public static final String NAME = "Delegating Authentication Service Extension";
+    @Setting(value = "Duration (in ms) that the internal key cache is valid", type = "Long", defaultValue = "" + DEFAULT_CACHE_TIME_TO_LIVE)
+    public static final String AUTH_SETTING_CACHE_VALIDITY_MS = "edc.api.auth.dac.cache.validity";
+    @Setting(value = "URL where the third-party IdP's public key(s) can be resolved")
+    public static final String AUTH_SETTING_KEY_URL = "edc.api.auth.dac.key.url";
+    @Setting(value = "Default token validation time tolerance (in ms), e.g. for nbf or exp claims", defaultValue = "" + DEFAULT_VALIDATION_TOLERANCE)
+    private static final String AUTH_SETTING_VALIDATION_TOLERANCE_MS = "edc.api.auth.dac.validation.tolerance";
+    @Inject
+    private ApiAuthenticationRegistry authenticationRegistry;
+    @Inject
+    private TokenValidationRulesRegistry tokenValidationRulesRegistry;
+    @Inject
+    private KeyParserRegistry keyParserRegistry;
+    @Inject
+    private TokenValidationService tokenValidationService;
+    @Inject
+    private Clock clock;
+
+    @Override
+    public String name() {
+        return NAME;
+    }
+
+    @Override
+    public void initialize(ServiceExtensionContext context) {
+        var monitor = context.getMonitor().withPrefix("Delegated API Authentication");
+
+        var keyUrl = context.getConfig().getString(AUTH_SETTING_KEY_URL, null);
+        if (keyUrl == null) {
+            monitor.warning("The '%s' setting was not provided, so the DelegatedAuthenticationService will NOT be registered. In this case, the TokenBasedAuthenticationService usually acts as fallback.".formatted(AUTH_SETTING_KEY_URL));
+            return;
+        }
+        var cacheValidityMs = context.getConfig().getLong(AUTH_SETTING_CACHE_VALIDITY_MS, DEFAULT_CACHE_TIME_TO_LIVE);
+        var tolerance = context.getConfig().getInteger(AUTH_SETTING_VALIDATION_TOLERANCE_MS, DEFAULT_VALIDATION_TOLERANCE);
+
+        //todo: currently, only JWKS urls are supported
+        var resolver = JwksPublicKeyResolver.create(keyParserRegistry, keyUrl, monitor, cacheValidityMs);
+
+        tokenValidationRulesRegistry.addRule(MANAGEMENT_API_CONTEXT, new NotBeforeValidationRule(clock, tolerance, true));
+        tokenValidationRulesRegistry.addRule(MANAGEMENT_API_CONTEXT, new ExpirationIssuedAtValidationRule(clock, tolerance, true));
+
+        // always register - this would potentially overwrite other services
+        authenticationRegistry.register("management-api", new DelegatedAuthenticationService(resolver, monitor, tokenValidationService, tokenValidationRulesRegistry));
+    }
+}
diff --git a/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationService.java b/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationService.java
new file mode 100644
index 00000000000..304956435b1
--- /dev/null
+++ b/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationService.java
@@ -0,0 +1,96 @@
+/*
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.api.auth.delegated;
+
+import org.eclipse.edc.api.auth.spi.AuthenticationService;
+import org.eclipse.edc.keys.spi.PublicKeyResolver;
+import org.eclipse.edc.spi.monitor.Monitor;
+import org.eclipse.edc.token.spi.TokenValidationRulesRegistry;
+import org.eclipse.edc.token.spi.TokenValidationService;
+import org.eclipse.edc.web.spi.exception.AuthenticationFailedException;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+import static jakarta.ws.rs.core.HttpHeaders.AUTHORIZATION;
+
+public class DelegatedAuthenticationService implements AuthenticationService {
+
+    public static final String MANAGEMENT_API_CONTEXT = "management-api";
+    @Deprecated(since = "0.7.1")
+    private static final String X_API_KEY = "x-api-key";
+    public static final String OLD_API_KEY_WARNING = ("Header '%s' found with the DelegatedAuthenticationService. " +
+            "Please migrate to using the '%s' header at your earliest convenience, this compatibility feature will be removed in upcoming releases!").formatted(X_API_KEY, AUTHORIZATION);
+    private final PublicKeyResolver publicKeyResolver;
+    private final Monitor monitor;
+    private final TokenValidationService tokenValidationService;
+    private final TokenValidationRulesRegistry rulesRegistry;
+
+    public DelegatedAuthenticationService(PublicKeyResolver publicKeyResolver,
+                                          Monitor monitor,
+                                          TokenValidationService tokenValidationService,
+                                          TokenValidationRulesRegistry rulesRegistry) {
+        this.publicKeyResolver = publicKeyResolver;
+        this.monitor = monitor;
+        this.tokenValidationService = tokenValidationService;
+        this.rulesRegistry = rulesRegistry;
+    }
+
+    @Override
+    public boolean isAuthenticated(Map<String, List<String>> headers) {
+
+        if (headers == null) {
+            var msg = "Headers were null";
+            monitor.warning(msg);
+            throw new AuthenticationFailedException(msg);
+        }
+
+        var authHeaders = headers.get(AUTHORIZATION);
+        if (authHeaders == null || authHeaders.isEmpty()) {
+            // fall back to X-API-Key - backwards compatibility
+            authHeaders = headers.get(X_API_KEY);
+            if (authHeaders != null && !authHeaders.isEmpty()) {
+                monitor.warning(OLD_API_KEY_WARNING);
+            }
+        }
+
+        return Optional.ofNullable(authHeaders)
+                .map(this::performTokenValidation)
+                .orElseThrow(() -> {
+                    var msg = "Header '%s' not present".formatted(AUTHORIZATION);
+                    monitor.warning(msg);
+                    return new AuthenticationFailedException(msg);
+                });
+
+    }
+
+    private boolean performTokenValidation(List<String> authHeaders) {
+        if (authHeaders.size() != 1) {
+            monitor.warning("Expected exactly 1 Authorization header, found %d".formatted(authHeaders.size()));
+            return false;
+        }
+        var token = authHeaders.get(0);
+        if (!token.toLowerCase().startsWith("bearer ")) {
+            monitor.warning("Authorization header must start with 'Bearer '");
+            return false;
+        }
+        token = token.substring(6).trim(); // "bearer" has 7 characters, it could be upper case, lower case or capitalized
+
+        var rules = rulesRegistry.getRules(MANAGEMENT_API_CONTEXT);
+        return tokenValidationService.validate(token, publicKeyResolver, rules).succeeded();
+    }
+
+}
diff --git a/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/JwksPublicKeyResolver.java b/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/JwksPublicKeyResolver.java
new file mode 100644
index 00000000000..70890a13457
--- /dev/null
+++ b/extensions/common/auth/auth-delegated/src/main/java/org/eclipse/edc/api/auth/delegated/JwksPublicKeyResolver.java
@@ -0,0 +1,139 @@
+/*
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.api.auth.delegated;
+
+import com.nimbusds.jose.KeySourceException;
+import com.nimbusds.jose.jwk.JWK;
+import com.nimbusds.jose.jwk.JWKMatcher;
+import com.nimbusds.jose.jwk.JWKSelector;
+import com.nimbusds.jose.jwk.source.JWKSource;
+import com.nimbusds.jose.jwk.source.JWKSourceBuilder;
+import com.nimbusds.jose.proc.SecurityContext;
+import com.nimbusds.jose.proc.SimpleSecurityContext;
+import org.eclipse.edc.keys.spi.KeyParserRegistry;
+import org.eclipse.edc.keys.spi.PublicKeyResolver;
+import org.eclipse.edc.spi.EdcException;
+import org.eclipse.edc.spi.monitor.Monitor;
+import org.eclipse.edc.spi.result.Result;
+import org.jetbrains.annotations.Nullable;
+
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.security.PublicKey;
+import java.util.List;
+import java.util.Optional;
+
+import static com.nimbusds.jose.jwk.source.JWKSourceBuilder.DEFAULT_CACHE_REFRESH_TIMEOUT;
+import static com.nimbusds.jose.jwk.source.JWKSourceBuilder.DEFAULT_RATE_LIMIT_MIN_INTERVAL;
+import static com.nimbusds.jose.jwk.source.JWKSourceBuilder.DEFAULT_REFRESH_AHEAD_TIME;
+
+/**
+ * A {@link PublicKeyResolver} that resolves a JSON Web Key Set from a URL and parses the JWK with the given ID
+ */
+public class JwksPublicKeyResolver implements PublicKeyResolver {
+    private final Monitor monitor;
+    private final KeyParserRegistry keyParserRegistry;
+    private final JWKSource<SecurityContext> jwkSource;
+
+    private JwksPublicKeyResolver(KeyParserRegistry keyParserRegistry, Monitor monitor, JWKSource<SecurityContext> jwkSource) {
+        this.keyParserRegistry = keyParserRegistry;
+        this.monitor = monitor;
+        this.jwkSource = jwkSource;
+    }
+
+    /**
+     * Creates a new resolver that does use any cache. That means, that every request hits the server.
+     *
+     * @param keyParserRegistry Should contain all relevant key parsers. The minimum recommendation is adding a {@code JwkParser}.
+     * @param jwksUrl           The URL of the public key server, where a JWK Set can be obtained.
+     * @param monitor           A monitor
+     * @throws EdcException if the jwksUrl is malformed
+     */
+    public static JwksPublicKeyResolver create(KeyParserRegistry keyParserRegistry, String jwksUrl, Monitor monitor) {
+        return create(keyParserRegistry, jwksUrl, monitor, 0);
+    }
+
+    /**
+     * Creates a new resolver that does use any cache. That means, that every request hits the server.
+     *
+     * @param keyParserRegistry Should contain all relevant key parsers. The minimum recommendation is adding a {@code JwkParser}.
+     * @param jwksUrl           The URL of the public key server, where a JWK Set can be obtained.
+     * @param monitor           A monitor
+     * @param cacheValidityMs   The time in milliseconds that public keys may be cached locally.
+     * @throws EdcException if the jwksUrl is malformed
+     */
+    public static JwksPublicKeyResolver create(KeyParserRegistry keyParserRegistry, String jwksUrl, Monitor monitor, long cacheValidityMs) {
+
+        try {
+            var builder = JWKSourceBuilder.create(URI.create(jwksUrl).toURL()).retrying(false);
+            if (cacheValidityMs > 0) {
+                builder.cache(cacheValidityMs, DEFAULT_CACHE_REFRESH_TIMEOUT);
+
+                // rate-limit must be < cache TTL, this would cause the cache to be refreshed more often than allowed
+                if (cacheValidityMs < DEFAULT_RATE_LIMIT_MIN_INTERVAL) {
+                    builder.rateLimited(cacheValidityMs - 1);
+                }
+                // cache TTL must be > refresh-ahead time plus refresh timeout
+                if (cacheValidityMs < DEFAULT_REFRESH_AHEAD_TIME + DEFAULT_CACHE_REFRESH_TIMEOUT) {
+                    builder.refreshAheadCache(false);
+                }
+
+            } else {
+                // disable all optimizations
+                builder.cache(false);
+                builder.rateLimited(false);
+                builder.refreshAheadCache(false);
+            }
+            var jwkSource = builder.build();
+            return new JwksPublicKeyResolver(keyParserRegistry, monitor, jwkSource);
+
+        } catch (MalformedURLException e) {
+            monitor.warning("Malformed JWK URL: " + jwksUrl, e);
+            throw new EdcException(e);
+        }
+    }
+
+    @Override
+    public Result<PublicKey> resolveKey(@Nullable String keyId) {
+        var matcher = Optional.ofNullable(keyId) // get matcher with optional keyID property
+                .map(kid -> new JWKMatcher.Builder().keyID(kid).build())
+                .orElseGet(() -> new JWKMatcher.Builder().build());
+        var selector = new JWKSelector(matcher);
+        List<JWK> keys;
+        try {
+            keys = jwkSource.get(selector, new SimpleSecurityContext());
+        } catch (KeySourceException e) {
+            monitor.warning("Error while retrieving JWKSet", e);
+            return Result.failure("Error while retrieving JWKSet: " + e.getMessage());
+        }
+
+        if (keys.isEmpty()) {
+            var msg = "JWKSet did not contain a matching key (desired keyId: '%s')".formatted(keyId);
+            monitor.warning(msg);
+            return Result.failure(msg);
+        }
+        if (keys.size() > 1) {
+            String msg = keyId == null ?
+                    "JWKSet contained %d keys, but no keyId was specified. Please consider specifying a keyId.".formatted(keys.size()) :
+                    "JWKSet contained %d matching keys (desired keyId: '%s'), where only 1 is expected. Will abort!".formatted(keys.size(), keyId);
+            monitor.warning(msg);
+            return Result.failure(msg);
+        }
+
+        var jwk = keys.get(0);
+
+        return keyParserRegistry.parse(jwk.toJSONString()).map(k -> (PublicKey) k);
+    }
+}
diff --git a/extensions/common/auth/auth-delegated/src/main/resources/META-INF/services/org.eclipse.edc.spi.system.ServiceExtension b/extensions/common/auth/auth-delegated/src/main/resources/META-INF/services/org.eclipse.edc.spi.system.ServiceExtension
new file mode 100644
index 00000000000..20a14da0836
--- /dev/null
+++ b/extensions/common/auth/auth-delegated/src/main/resources/META-INF/services/org.eclipse.edc.spi.system.ServiceExtension
@@ -0,0 +1,15 @@
+#
+#  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0
+#
+#  SPDX-License-Identifier: Apache-2.0
+#
+#  Contributors:
+#       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+#
+#
+
+org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationExtension
diff --git a/extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtensionTest.java b/extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtensionTest.java
new file mode 100644
index 00000000000..c6f1d7b0a89
--- /dev/null
+++ b/extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtensionTest.java
@@ -0,0 +1,68 @@
+/*
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.api.auth.delegated;
+
+import org.eclipse.edc.api.auth.spi.registry.ApiAuthenticationRegistry;
+import org.eclipse.edc.junit.extensions.DependencyInjectionExtension;
+import org.eclipse.edc.spi.monitor.Monitor;
+import org.eclipse.edc.spi.system.ServiceExtensionContext;
+import org.eclipse.edc.spi.system.configuration.Config;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import static org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationExtension.AUTH_SETTING_KEY_URL;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.ArgumentMatchers.isA;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(DependencyInjectionExtension.class)
+class DelegatedAuthenticationExtensionTest {
+
+    private final Monitor monitor = mock(Monitor.class);
+    private final ApiAuthenticationRegistry registry = mock();
+
+    @BeforeEach
+    void setUp(ServiceExtensionContext context) {
+        when(monitor.withPrefix(anyString())).thenReturn(monitor);
+        when(context.getMonitor()).thenReturn(monitor);
+        context.registerService(ApiAuthenticationRegistry.class, registry);
+    }
+
+    @Test
+    void initialize(DelegatedAuthenticationExtension extension, ServiceExtensionContext context) {
+
+        var configMock = mock(Config.class);
+        when(configMock.getString(eq(AUTH_SETTING_KEY_URL), eq(null))).thenReturn("http://foo.bar/.well-known/jwks.json");
+        when(context.getConfig()).thenReturn(configMock);
+
+        extension.initialize(context);
+
+        verify(registry).register(eq("management-api"), isA(DelegatedAuthenticationService.class));
+    }
+
+    @Test
+    void initialize_noUrlGiven_shouldNotRegister(DelegatedAuthenticationExtension extension, ServiceExtensionContext context) {
+
+        extension.initialize(context);
+
+        verify(monitor).warning("The '%s' setting was not provided, so the DelegatedAuthenticationService will NOT be registered. In this case, the TokenBasedAuthenticationService usually acts as fallback.".formatted(AUTH_SETTING_KEY_URL));
+        verify(registry, never()).register(eq("management-api"), isA(DelegatedAuthenticationService.class));
+    }
+}
\ No newline at end of file
diff --git a/extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationServiceTest.java b/extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationServiceTest.java
new file mode 100644
index 00000000000..c9a0def58c6
--- /dev/null
+++ b/extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationServiceTest.java
@@ -0,0 +1,166 @@
+/*
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.api.auth.delegated;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.eclipse.edc.keys.keyparsers.JwkParser;
+import org.eclipse.edc.keys.spi.PublicKeyResolver;
+import org.eclipse.edc.spi.monitor.Monitor;
+import org.eclipse.edc.token.TokenValidationServiceImpl;
+import org.eclipse.edc.token.spi.TokenValidationRulesRegistry;
+import org.eclipse.edc.web.spi.exception.AuthenticationFailedException;
+import org.junit.jupiter.api.Test;
+
+import java.security.PublicKey;
+import java.util.List;
+import java.util.Map;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.eclipse.edc.api.auth.delegated.TestFunctions.createToken;
+import static org.eclipse.edc.api.auth.delegated.TestFunctions.generateKey;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.contains;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.mockito.Mockito.when;
+
+class DelegatedAuthenticationServiceTest {
+
+    private static final long TEST_CACHE_VALIDITY = 50;
+    private final TokenValidationRulesRegistry rulesRegistry = mock();
+    private final PublicKeyResolver publicKeyResolver = mock();
+    private final ObjectMapper mapper = new ObjectMapper();
+    private final Monitor monitor = mock();
+    private final JwkParser jwkParser = new JwkParser(mapper, monitor);
+    private final DelegatedAuthenticationService service = new DelegatedAuthenticationService(publicKeyResolver, monitor, new TokenValidationServiceImpl(), rulesRegistry);
+
+    @Test
+    void isAuthenticated_valid() {
+        var key = generateKey();
+        var pk = jwkParser.parse(key.toPublicJWK().toJSONString());
+        when(publicKeyResolver.resolveKey(anyString())).thenReturn(pk.map(k -> (PublicKey) k));
+
+        var token = createToken(key);
+        var headers = Map.of("Authorization", List.of("Bearer " + token));
+
+        assertThat(service.isAuthenticated(headers)).isTrue();
+        verify(publicKeyResolver).resolveKey(eq(key.getKeyID()));
+        verify(rulesRegistry).getRules(eq(DelegatedAuthenticationService.MANAGEMENT_API_CONTEXT));
+        verifyNoMoreInteractions(publicKeyResolver, rulesRegistry);
+    }
+
+    @Test
+    void isAuthenticated_noHeaders() {
+        assertThatThrownBy(() -> service.isAuthenticated(null))
+                .isInstanceOf(AuthenticationFailedException.class);
+        verify(monitor).warning("Headers were null");
+        verifyNoInteractions(rulesRegistry, publicKeyResolver);
+    }
+
+    @Test
+    void isAuthenticated_emptyHeaders() {
+        assertThatThrownBy(() -> service.isAuthenticated(Map.of()))
+                .isInstanceOf(AuthenticationFailedException.class);
+        verify(monitor).warning("Header 'Authorization' not present");
+        verifyNoInteractions(rulesRegistry, publicKeyResolver);
+    }
+
+    @Test
+    void isAuthenticated_noAuthHeader() {
+        assertThatThrownBy(() -> service.isAuthenticated(Map.of("foo", List.of("bar"))))
+                .isInstanceOf(AuthenticationFailedException.class);
+        verify(monitor).warning("Header 'Authorization' not present");
+        verifyNoInteractions(rulesRegistry, publicKeyResolver);
+    }
+
+    @Test
+    void isAuthenticated_multipleAuthHeaders_shouldReject() {
+        var key = generateKey();
+        var token = createToken(key);
+
+        var headers = Map.of("Authorization", List.of("Bearer " + token, "Bearer someOtherToken"));
+
+        assertThat(service.isAuthenticated(headers)).isFalse();
+        verify(monitor).warning(contains("Expected exactly 1 Authorization header, found 2"));
+        verifyNoInteractions(rulesRegistry, publicKeyResolver);
+    }
+
+    @Test
+    void isAuthenticated_notBearer() {
+        var key = generateKey();
+        var pk = jwkParser.parse(key.toPublicJWK().toJSONString());
+        when(publicKeyResolver.resolveKey(anyString())).thenReturn(pk.map(k -> (PublicKey) k));
+
+        var token = createToken(key);
+        var headers = Map.of("Authorization", List.of(token));
+
+        assertThat(service.isAuthenticated(headers)).isFalse();
+        verify(monitor).warning("Authorization header must start with 'Bearer '");
+        verifyNoInteractions(rulesRegistry, publicKeyResolver);
+    }
+
+    @Test
+    void isAuthenticated_withXapiKey() {
+        var key = generateKey();
+        var pk = jwkParser.parse(key.toPublicJWK().toJSONString());
+        when(publicKeyResolver.resolveKey(anyString())).thenReturn(pk.map(k -> (PublicKey) k));
+
+        var token = createToken(key);
+        var headers = Map.of("x-api-key", List.of("bearer " + token));
+
+        assertThat(service.isAuthenticated(headers)).isTrue();
+        verify(publicKeyResolver).resolveKey(eq(key.getKeyID()));
+        verify(rulesRegistry).getRules(eq(DelegatedAuthenticationService.MANAGEMENT_API_CONTEXT));
+        verifyNoMoreInteractions(publicKeyResolver, rulesRegistry);
+    }
+
+    @Test
+    void isAuthenticated_withXapiKey_noBearerPrefix() {
+        var key = generateKey();
+        var pk = jwkParser.parse(key.toPublicJWK().toJSONString());
+        when(publicKeyResolver.resolveKey(anyString())).thenReturn(pk.map(k -> (PublicKey) k));
+
+        var token = createToken(key);
+        var headers = Map.of("x-api-key", List.of(token));
+
+        assertThat(service.isAuthenticated(headers)).isFalse();
+        verifyNoInteractions(publicKeyResolver, rulesRegistry);
+        verify(monitor).warning(DelegatedAuthenticationService.OLD_API_KEY_WARNING);
+    }
+
+    @Test
+    void isAuthenticated_withXapiKeyAndAuthHeader_authTakesPrecedence() {
+        var key = generateKey();
+        var pk = jwkParser.parse(key.toPublicJWK().toJSONString());
+        when(publicKeyResolver.resolveKey(anyString())).thenReturn(pk.map(k -> (PublicKey) k));
+
+        var token = createToken(key);
+        var headers = Map.of(
+                "x-api-key", List.of(token),
+                "Authorization", List.of("Bearer " + token));
+
+        assertThat(service.isAuthenticated(headers)).isTrue();
+        verify(publicKeyResolver).resolveKey(eq(key.getKeyID()));
+        verify(rulesRegistry).getRules(eq(DelegatedAuthenticationService.MANAGEMENT_API_CONTEXT));
+        verify(monitor, never()).warning(DelegatedAuthenticationService.OLD_API_KEY_WARNING);
+        verifyNoMoreInteractions(publicKeyResolver, rulesRegistry);
+    }
+
+}
\ No newline at end of file
diff --git a/extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/JwksPublicKeyResolverTest.java b/extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/JwksPublicKeyResolverTest.java
new file mode 100644
index 00000000000..5f71fce099c
--- /dev/null
+++ b/extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/JwksPublicKeyResolverTest.java
@@ -0,0 +1,223 @@
+/*
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.api.auth.delegated;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.nimbusds.jose.jwk.JWK;
+import org.eclipse.edc.junit.annotations.ComponentTest;
+import org.eclipse.edc.keys.KeyParserRegistryImpl;
+import org.eclipse.edc.keys.keyparsers.JwkParser;
+import org.eclipse.edc.keys.spi.KeyParserRegistry;
+import org.eclipse.edc.spi.EdcException;
+import org.eclipse.edc.spi.monitor.Monitor;
+import org.jetbrains.annotations.NotNull;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockserver.integration.ClientAndServer;
+import org.mockserver.model.HttpRequest;
+
+import java.net.MalformedURLException;
+import java.time.Duration;
+import java.util.Arrays;
+import java.util.Map;
+
+import static com.nimbusds.jose.jwk.source.JWKSourceBuilder.DEFAULT_CACHE_TIME_TO_LIVE;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.awaitility.Awaitility.await;
+import static org.eclipse.edc.api.auth.delegated.TestFunctions.generateKey;
+import static org.eclipse.edc.junit.assertions.AbstractResultAssert.assertThat;
+import static org.eclipse.edc.util.io.Ports.getFreePort;
+import static org.mockito.ArgumentMatchers.contains;
+import static org.mockito.ArgumentMatchers.isA;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockserver.model.HttpRequest.request;
+import static org.mockserver.model.HttpResponse.response;
+import static org.mockserver.stop.Stop.stopQuietly;
+import static org.mockserver.verify.VerificationTimes.exactly;
+import static org.mockserver.verify.VerificationTimes.never;
+
+@ComponentTest
+class JwksPublicKeyResolverTest {
+
+    private static ClientAndServer jwksServer;
+    private final KeyParserRegistry keyParserRegistry = new KeyParserRegistryImpl();
+    private final ObjectMapper mapper = new ObjectMapper();
+    private final Monitor monitor = mock();
+    private JwksPublicKeyResolver resolver;
+
+    @BeforeAll
+    static void prepare() {
+        jwksServer = ClientAndServer.startClientAndServer(getFreePort());
+    }
+
+    @AfterAll
+    static void teardown() {
+        stopQuietly(jwksServer);
+    }
+
+    @BeforeEach
+    void setup() {
+        jwksServer.reset();
+        keyParserRegistry.register(new JwkParser(mapper, monitor));
+        resolver = JwksPublicKeyResolver.create(keyParserRegistry, jwksServerUrl(), monitor, DEFAULT_CACHE_TIME_TO_LIVE);
+    }
+
+    @Test
+    void resolve_singleKey() {
+        jwksServer.when(jwksRequest())
+                .respond(response().withStatusCode(200).withBody(jwksObject(generateKey("foo-bar-key").toPublicJWK())));
+
+        assertThat(resolver.resolveKey("foo-bar-key")).isSucceeded();
+    }
+
+    @Test
+    void resolve_multipleUniqueKeys() {
+
+        var key1 = generateKey("foo-bar-key1").toPublicJWK();
+        var key2 = generateKey("foo-bar-key2").toPublicJWK();
+        jwksServer.when(jwksRequest())
+                .respond(response().withStatusCode(200).withBody(jwksObject(key1, key2)));
+
+        assertThat(resolver.resolveKey("foo-bar-key2")).isSucceeded();
+        jwksServer.verify(jwksRequest(), exactly(1));
+    }
+
+    @Test
+    void resolve_multipleKeysWithSameId() {
+
+        var key1 = generateKey("foo-bar-keyX").toPublicJWK();
+        var key2 = generateKey("foo-bar-keyX").toPublicJWK();
+        jwksServer.when(jwksRequest())
+                .respond(response().withStatusCode(200).withBody(jwksObject(key1, key2)));
+
+        assertThat(resolver.resolveKey("foo-bar-keyX")).isFailed()
+                .detail().isEqualTo("JWKSet contained 2 matching keys (desired keyId: 'foo-bar-keyX'), where only 1 is expected. Will abort!");
+        jwksServer.verify(jwksRequest(), exactly(1));
+
+    }
+
+    @Test
+    void resolve_keyNotFound() {
+        jwksServer.when(jwksRequest())
+                .respond(response().withStatusCode(200).withBody(jwksObject(generateKey("foo-bar-key").toPublicJWK())));
+
+        assertThat(resolver.resolveKey("not-exist")).isFailed()
+                .detail().isEqualTo("JWKSet did not contain a matching key (desired keyId: 'not-exist')");
+        // the JWK source has this weird behaviour where it tries again when no key matches the selector.
+        // ref: JWKSetBasedJWKSource.java
+        jwksServer.verify(jwksRequest(), exactly(2));
+
+    }
+
+    @Test
+    void resolve_multipleKeys_noKeyIdGiven() {
+        var key1 = generateKey("foo-bar-key1").toPublicJWK();
+        var key2 = generateKey("foo-bar-key2").toPublicJWK();
+        jwksServer.when(jwksRequest())
+                .respond(response().withStatusCode(200).withBody(jwksObject(key1, key2)));
+
+        assertThat(resolver.resolveKey(null)).isFailed()
+                .detail().isEqualTo("JWKSet contained 2 keys, but no keyId was specified. Please consider specifying a keyId.");
+        jwksServer.verify(jwksRequest(), exactly(1));
+    }
+
+    @Test
+    void resolve_singleKey_noKeyId() {
+        var key1 = generateKey("foo-bar-key1").toPublicJWK();
+        jwksServer.when(jwksRequest())
+                .respond(response().withStatusCode(200).withBody(jwksObject(key1)));
+
+        assertThat(resolver.resolveKey(null)).isSucceeded();
+        jwksServer.verify(jwksRequest(), exactly(1));
+    }
+
+
+    @Test
+    void resolve_malformedKeyUrl() {
+
+        assertThatThrownBy(() -> JwksPublicKeyResolver.create(keyParserRegistry, "foobar://invalid.url", monitor, DEFAULT_CACHE_TIME_TO_LIVE))
+                .isInstanceOf(EdcException.class)
+                .hasRootCauseInstanceOf(MalformedURLException.class);
+
+        verify(monitor).warning(contains("Malformed JWK URL: foobar://invalid.url"), isA(MalformedURLException.class));
+    }
+
+    @Test
+    void resolve_invalidKeyUrl() {
+        resolver = JwksPublicKeyResolver.create(keyParserRegistry, "http:_invalid.url", monitor, DEFAULT_CACHE_TIME_TO_LIVE);
+        assertThat(resolver.resolveKey("test-key")).isFailed()
+                .detail().contains("Error while retrieving JWKSet");
+        jwksServer.verify(jwksRequest(), never());
+
+    }
+
+    @Test
+    void resolve_verifyHitsCache() {
+        var cacheTtl = 1000;
+        resolver = JwksPublicKeyResolver.create(keyParserRegistry, jwksServerUrl(), monitor, cacheTtl);
+
+        jwksServer.when(jwksRequest())
+                .respond(response().withStatusCode(200).withBody(jwksObject(generateKey("foo-bar-key").toPublicJWK())));
+
+        assertThat(resolver.resolveKey("foo-bar-key")).isSucceeded();
+        assertThat(resolver.resolveKey("foo-bar-key")).isSucceeded();
+        jwksServer.verify(jwksRequest(), exactly(1));
+
+        // now wait for the cache to expire, try again and assert that the key server is hit
+        await().atMost(Duration.ofMillis(3 * cacheTtl))
+                .untilAsserted(() -> {
+                    assertThat(resolver.resolveKey("foo-bar-key")).isSucceeded();
+                    jwksServer.verify(jwksRequest(), exactly(1));
+                });
+
+    }
+
+    @Test
+    void resolve_verifyNoHitsCache() {
+        resolver = JwksPublicKeyResolver.create(keyParserRegistry, jwksServerUrl(), monitor);
+
+        jwksServer.when(jwksRequest())
+                .respond(response().withStatusCode(200).withBody(jwksObject(generateKey("foo-bar-key").toPublicJWK())));
+
+        assertThat(resolver.resolveKey("foo-bar-key")).isSucceeded();
+        assertThat(resolver.resolveKey("foo-bar-key")).isSucceeded();
+        assertThat(resolver.resolveKey("foo-bar-key")).isSucceeded();
+        jwksServer.verify(jwksRequest(), exactly(3));
+    }
+
+    private @NotNull String jwksServerUrl() {
+        return "http://localhost:%d/.well-known/jwks.json".formatted(jwksServer.getPort());
+    }
+
+    private HttpRequest jwksRequest() {
+        return request()
+                .withPath("/.well-known/jwks.json");
+    }
+
+    private String jwksObject(JWK... keys) {
+        var keyList = Arrays.stream(keys).map(JWK::toJSONObject).toList();
+        var m = Map.of("keys", keyList);
+
+        try {
+            return mapper.writeValueAsString(m);
+        } catch (JsonProcessingException e) {
+            throw new RuntimeException(e);
+        }
+    }
+}
\ No newline at end of file
diff --git a/extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/TestFunctions.java b/extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/TestFunctions.java
new file mode 100644
index 00000000000..eaf3da9e11b
--- /dev/null
+++ b/extensions/common/auth/auth-delegated/src/test/java/org/eclipse/edc/api/auth/delegated/TestFunctions.java
@@ -0,0 +1,59 @@
+/*
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.api.auth.delegated;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.jwk.Curve;
+import com.nimbusds.jose.jwk.JWK;
+import com.nimbusds.jose.jwk.KeyUse;
+import com.nimbusds.jose.jwk.gen.OctetKeyPairGenerator;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+import org.eclipse.edc.security.token.jwt.CryptoConverter;
+
+public class TestFunctions {
+    public static JWK generateKey() {
+        return generateKey("test-key");
+    }
+
+    public static JWK generateKey(String keyId) {
+        try {
+            return new OctetKeyPairGenerator(Curve.Ed25519).keyID(keyId).keyUse(KeyUse.SIGNATURE).generate();
+        } catch (JOSEException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static String createToken(JWK key) {
+        var signer = CryptoConverter.createSigner(key);
+        var algorithm = CryptoConverter.getRecommendedAlgorithm(signer);
+
+        var header = new JWSHeader.Builder(algorithm).keyID(key.getKeyID()).build();
+        var claims = new JWTClaimsSet.Builder()
+                .audience("test-audience")
+                .issuer("test-issuer")
+                .subject("test-subject")
+                .build();
+
+        var jwt = new SignedJWT(header, claims);
+        try {
+            jwt.sign(signer);
+            return jwt.serialize();
+        } catch (JOSEException e) {
+            throw new RuntimeException(e);
+        }
+    }
+}
diff --git a/extensions/common/auth/auth-tokenbased/src/main/java/org/eclipse/edc/api/auth/token/TokenBasedAuthenticationExtension.java b/extensions/common/auth/auth-tokenbased/src/main/java/org/eclipse/edc/api/auth/token/TokenBasedAuthenticationExtension.java
index 38473c84e14..a8f0e54d431 100644
--- a/extensions/common/auth/auth-tokenbased/src/main/java/org/eclipse/edc/api/auth/token/TokenBasedAuthenticationExtension.java
+++ b/extensions/common/auth/auth-tokenbased/src/main/java/org/eclipse/edc/api/auth/token/TokenBasedAuthenticationExtension.java
@@ -16,11 +16,9 @@
 
 package org.eclipse.edc.api.auth.token;
 
-import org.eclipse.edc.api.auth.spi.AuthenticationService;
 import org.eclipse.edc.api.auth.spi.registry.ApiAuthenticationRegistry;
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
-import org.eclipse.edc.runtime.metamodel.annotation.Provides;
 import org.eclipse.edc.runtime.metamodel.annotation.Setting;
 import org.eclipse.edc.spi.security.Vault;
 import org.eclipse.edc.spi.system.ServiceExtension;
@@ -32,7 +30,6 @@
 /**
  * Extension that registers an AuthenticationService that uses API Keys
  */
-@Provides(AuthenticationService.class)
 @Extension(value = TokenBasedAuthenticationExtension.NAME)
 public class TokenBasedAuthenticationExtension implements ServiceExtension {
 
@@ -58,6 +55,9 @@ public void initialize(ServiceExtensionContext context) {
                 .map(alias -> vault.resolveSecret(alias))
                 .orElseGet(() -> context.getSetting(AUTH_SETTING_APIKEY, UUID.randomUUID().toString()));
 
-        authenticationRegistry.register("management-api", new TokenBasedAuthenticationService(apiKey));
+        // only register as fallback, if no other has been registered
+        if (!authenticationRegistry.hasService("management-api")) {
+            authenticationRegistry.register("management-api", new TokenBasedAuthenticationService(apiKey));
+        }
     }
 }
diff --git a/settings.gradle.kts b/settings.gradle.kts
index 550166d3c55..270831b2d0d 100644
--- a/settings.gradle.kts
+++ b/settings.gradle.kts
@@ -104,6 +104,7 @@ include(":extensions:common:api:lib:management-api-lib")
 include(":extensions:common:api:version-api")
 include(":extensions:common:auth:auth-basic")
 include(":extensions:common:auth:auth-tokenbased")
+include(":extensions:common:auth:auth-delegated")
 include(":extensions:common:crypto:ldp-verifiable-credentials")
 include(":extensions:common:crypto:jwt-verifiable-credentials")
 include(":extensions:common:crypto:lib:jws2020-lib")
diff --git a/spi/common/auth-spi/src/main/java/org/eclipse/edc/api/auth/spi/registry/ApiAuthenticationRegistry.java b/spi/common/auth-spi/src/main/java/org/eclipse/edc/api/auth/spi/registry/ApiAuthenticationRegistry.java
index b24f4b23297..f4997be2597 100644
--- a/spi/common/auth-spi/src/main/java/org/eclipse/edc/api/auth/spi/registry/ApiAuthenticationRegistry.java
+++ b/spi/common/auth-spi/src/main/java/org/eclipse/edc/api/auth/spi/registry/ApiAuthenticationRegistry.java
@@ -37,6 +37,14 @@ public interface ApiAuthenticationRegistry {
      * @param context the context.
      * @return the {@link AuthenticationService}
      */
-    @NotNull AuthenticationService resolve(String context);
+    @NotNull
+    AuthenticationService resolve(String context);
 
+    /**
+     * Determines whether a specific authentication service registration exists for a given context.
+     *
+     * @param context The context name
+     * @return {@code true} if a non-default, non-null service is registered, {@code false} otherwise
+     */
+    boolean hasService(String context);
 }