diff --git a/token/jwt/jwt.go b/token/jwt/jwt.go
index d9f825a7..dc7f96e1 100644
--- a/token/jwt/jwt.go
+++ b/token/jwt/jwt.go
@@ -48,9 +48,9 @@ func (j *DefaultSigner) Generate(ctx context.Context, claims MapClaims, header M
 
 	switch t := key.(type) {
 	case *jose.JSONWebKey:
-		return generateToken(claims, header, jose.SignatureAlgorithm(t.Algorithm), t.Key)
+		return generateToken(claims, header, jose.SignatureAlgorithm(t.Algorithm), t)
 	case jose.JSONWebKey:
-		return generateToken(claims, header, jose.SignatureAlgorithm(t.Algorithm), t.Key)
+		return generateToken(claims, header, jose.SignatureAlgorithm(t.Algorithm), t)
 	case *rsa.PrivateKey:
 		return generateToken(claims, header, jose.RS256, t)
 	case *ecdsa.PrivateKey:
diff --git a/token/jwt/jwt_test.go b/token/jwt/jwt_test.go
index b498a7e3..44392f4d 100644
--- a/token/jwt/jwt_test.go
+++ b/token/jwt/jwt_test.go
@@ -105,6 +105,7 @@ func TestGenerateJWT(t *testing.T) {
 			},
 			resetKey: func(strategy Signer) {
 				key = &jose.JSONWebKey{
+					KeyID:     "test-id",
 					Key:       gen.MustES521Key(),
 					Algorithm: "ES512",
 				}
@@ -129,7 +130,16 @@ func TestGenerateJWT(t *testing.T) {
 
 			token, sig, err := tc.strategy.Generate(context.TODO(), claims.ToMapClaims(), header)
 			require.NoError(t, err)
-			require.NotNil(t, token)
+			require.NotEmpty(t, token)
+			require.NotEmpty(t, sig)
+
+			decoded, err := tc.strategy.Decode(context.TODO(), token)
+			require.NoError(t, err)
+			require.NotNil(t, decoded)
+
+			if k, ok := key.(*jose.JSONWebKey); ok && k.KeyID != "" {
+				require.Equal(t, k.KeyID, decoded.Header["kid"])
+			}
 
 			sig, err = tc.strategy.Validate(context.TODO(), token)
 			require.NoError(t, err)