diff --git a/conf.d/global.conf b/conf.d/global.conf
index a6472ba8106cc83f9d9a0d16543b2b1ea070dd28..608fe8de67213f080cf2736ceceab71c26117be1 100644
--- a/conf.d/global.conf
+++ b/conf.d/global.conf
@@ -9,3 +9,5 @@ include                         snippets/common-headers.conf;
 proxy_ssl_trusted_certificate   /etc/ssl/certs/ca-certificates.crt;
 proxy_ssl_verify                on;
 proxy_ssl_verify_depth          4;
+# For proxying /validate on different hosts to Vouch.
+map $host $vouch { default vouch; }
diff --git a/docker-compose.yml b/docker-compose.yml
index 0d815fd4dd7f67242a3b351b515a832654ed2fdf..fea34f75e87a51078bf6ca1d638d3a920b74c143 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,7 +4,7 @@ services:
   proxy:
     build:
       context: ./
-    #command: ["nginx", "-g", "daemon off;"]
+    # command: ["nginx", "-g", "daemon off;"]
     hostname: &hostname shore.co.il
     networks:
       default:
@@ -20,6 +20,23 @@ services:
       - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
       - '/var/ssl/dhparams:/var/ssl/dhparams:ro'
 
+  vouch:
+    environment:
+      OAUTH_AUTH_URL: https://nextcloud.shore.co.il/apps/oauth2/authorize
+      OAUTH_CALLBACK_URLS: https://vouch.shore.co.il/auth
+      OAUTH_CLIENT_ID: "${VOUCH_OAUTH_CLIENT_ID}"
+      # yamllint disable-line rule:line-length
+      OAUTH_CLIENT_SECRET: "${VOUCH_OAUTH_CLIENT_SECRET}"  # pragma: allowlist secret
+      OAUTH_PROVIDER: nextcloud
+      OAUTH_SCOPES: 'openid,email.profile'
+      OAUTH_TOKEN_URL: https://nextcloud.shore.co.il/apps/oauth2/api/v1/token
+      # yamllint disable-line rule:line-length
+      OAUTH_USER_INFO_URL: https://nextcloud.shore.co.il/ocs/v2.php/cloud/user?format=json
+      VOUCH_DOMAINS: shore.co.il
+      VOUCH_JWT_SECRET: "${VOUCH_JWT_SECRET}"  # pragma: allowlist secret
+    image: registry.hub.docker.com/voucher/vouch-proxy:alpine-0.20.1
+    restart: always
+
 networks:
   default:
     name: shore
diff --git a/snippets/vouch.conf b/snippets/vouch.conf
index 20ba3e1c2ff4c585867257863a1f3ec517059b31..9571b80c28f366b99b57096ab7c23afacf61b46d 100644
--- a/snippets/vouch.conf
+++ b/snippets/vouch.conf
@@ -3,9 +3,10 @@ auth_request    /validate;
 
 location = /validate {
   # forward the /validate request to Vouch Proxy
-  proxy_pass                        https://vouch.shore.co.il/validate;
+  proxy_pass                        http://$vouch:9090/validate;
   proxy_http_version                1.1;
   internal;
+  include                           snippets/proxy-headers.conf;
 
   # Vouch Proxy only acts on the request headers
   proxy_pass_request_body           off;