diff --git a/helm/higress/templates/deployment.yaml b/helm/higress/templates/deployment.yaml
index 466d3f456..740fbfa30 100644
--- a/helm/higress/templates/deployment.yaml
+++ b/helm/higress/templates/deployment.yaml
@@ -122,7 +122,7 @@ spec:
           - name: ENABLE_INGRESS_GATEWAY_SDS
             value: "false"
           - name: JWT_POLICY
-            value: first-party-jwt
+            value: {{ .Values.gateway.jwtPolicy }}
           - name: ISTIO_META_HTTP10
             value: "1"
           - name: ISTIO_META_CLUSTER_ID
@@ -166,6 +166,11 @@ spec:
             {{- toYaml .Values.gateway.resources | nindent 12 }}
           {{- end }}
           volumeMounts:
+          {{- if eq .Values.gateway.jwtPolicy "third-party-jwt" }}
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          {{- end }}
           - name: config
             mountPath: /etc/istio/config
           - name: istio-ca-root-cert
@@ -189,6 +194,15 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
+      {{- if eq .Values.gateway.jwtPolicy "third-party-jwt" }}
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: istio-ca
+                expirationSeconds: 43200
+                path: istio-token
+      {{- end }}
       - name: istio-ca-root-cert
         configMap:
           name: istio-ca-root-cert
diff --git a/helm/higress/values.yaml b/helm/higress/values.yaml
index 9672b4c50..2e4b0712e 100644
--- a/helm/higress/values.yaml
+++ b/helm/higress/values.yaml
@@ -35,6 +35,10 @@ gateway:
   # Pod environment variables
   env: {}
 
+  # Configure the policy for validating JWT, it is used for istio authentication.
+  # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
+  jwtPolicy: "third-party-jwt"
+
   # Labels to apply to all resources
   labels: {}
 
diff --git a/helm/istiod/values.yaml b/helm/istiod/values.yaml
index 0e37adf48..e6e7d2e58 100644
--- a/helm/istiod/values.yaml
+++ b/helm/istiod/values.yaml
@@ -416,7 +416,7 @@ global:
 
   # Configure the policy for validating JWT.
   # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
-  jwtPolicy: "first-party-jwt"
+  jwtPolicy: "third-party-jwt"
 
   # Mesh ID means Mesh Identifier. It should be unique within the scope where
   # meshes will interact with each other, but it is not required to be