OpenIdDict with multiple AddValidation for an ASP.NET core/6.0 API

Question

I'm having a RESTful Asp.NET Core/6.0 API, were I'm using an separate Auth-Server with OpenIdDict.

My problem is I created two applications one with grant-type Client-credentials (for machine-to-machine communication) and one with grant-type Authorization-code (for the UI app)

Now I will grant both applications access to the API, I do that with following code in the API:

// Register the OpenIddict validation components.
builder.Services.AddOpenIddict()

.AddValidation(options =>
{
    options.UseIntrospection()
           .SetClientId("ecrom_ui")
           .SetClientSecret("901564A5-E7FE-42CB-B10D-61EF6A8F3654")
           .AddAudiences("ecrom_resource_server")
           .SetIssuer("https://localhost:44396/");

    options.UseSystemNetHttp();

    options.UseAspNetCore();
})
//only the last entry will be respected, all others return invalid-token
.AddValidation(options =>
{
    options.UseIntrospection()
           .SetClientId("ecrom_device_demo")
           .SetClientSecret("A0750148D6E5440C8C144562FA8DE52A")
           .AddAudiences("ecrom_resource_server")
           .SetIssuer("https://localhost:44396/");

    options.UseSystemNetHttp();

    options.UseAspNetCore();
});

builder.Services.AddAuthentication(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme);
builder.Services.AddAuthorization();

My problem is, only the last entry of .AddValidation works - the first will be ignored or overwritten?!

How can I add two applications to one API to access the data?

If it helps, my Auth-App code looks like this:

async Task CreateApplicationsAsync()
{
    var manager = scope.ServiceProvider.GetRequiredService<IOpenIddictApplicationManager>();
    
    if (await manager.FindByClientIdAsync("ecrom_device_demo") is null)
    {
        await manager.CreateAsync(new OpenIddictApplicationDescriptor
        {
            ClientId = "ecrom_device_demo",
            ClientSecret = "A0750148D6E5440C8C144562FA8DE52A",
            DisplayName = "ecrom_device_demo",
            Permissions =
            {
                OpenIddictConstants.Permissions.Endpoints.Token,
                OpenIddictConstants.Permissions.GrantTypes.ClientCredentials,
                OpenIddictConstants.Permissions.Prefixes.Scope + "ecrom_api_datapoint",
                Permissions.Endpoints.Introspection
            }
        });
    }

    if (await manager.FindByClientIdAsync("ecrom_ui") is null)
    {
        await manager.CreateAsync(new OpenIddictApplicationDescriptor
        {
            ClientId = "ecrom_ui",
            ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654",
            ConsentType = ConsentTypes.Implicit,
            DisplayName = "ecrom UI",
            PostLogoutRedirectUris =
            {
            new Uri("https://localhost:44392/signout-callback-oidc")
            },
            RedirectUris =
            {
            new Uri("https://localhost:44392/signin-oidc")
            },
            Permissions =
            {
            Permissions.Endpoints.Authorization,
                Permissions.Endpoints.Logout,
                Permissions.Endpoints.Token,
                Permissions.GrantTypes.AuthorizationCode,
                Permissions.GrantTypes.RefreshToken,
                Permissions.ResponseTypes.Code,
                Permissions.Scopes.Email,
                Permissions.Scopes.Profile,
                Permissions.Scopes.Roles,
                Permissions.Prefixes.Scope + "ecrom_api_datapoint",
                Permissions.Endpoints.Introspection
            },
            Requirements =
            {
            Requirements.Features.ProofKeyForCodeExchange
            }
        });
    }

Do I miss something obvious?