diff --git a/app/services/irs_attempts_api/attempt_event.rb b/app/services/irs_attempts_api/attempt_event.rb
index e4a036d9eca..5e0f26aa737 100644
--- a/app/services/irs_attempts_api/attempt_event.rb
+++ b/app/services/irs_attempts_api/attempt_event.rb
@@ -24,6 +24,7 @@ def to_jwe
         event_data_encryption_key,
         typ: 'secevent+jwe',
         zip: 'DEF',
+        alg: 'RSA-OAEP',
         enc: 'A256GCM',
       )
     end
diff --git a/spec/services/irs_attempts_api/attempt_event_spec.rb b/spec/services/irs_attempts_api/attempt_event_spec.rb
index 547219e62fc..007dea255da 100644
--- a/spec/services/irs_attempts_api/attempt_event_spec.rb
+++ b/spec/services/irs_attempts_api/attempt_event_spec.rb
@@ -32,7 +32,13 @@
     it 'returns a JWE for the event' do
       jwe = subject.to_jwe
 
+      header_str, *_rest = JWE::Serialization::Compact.decode(jwe)
+      headers = JSON.parse(header_str)
+
+      expect(headers['alg']).to eq('RSA-OAEP')
+
       decrypted_jwe_payload = JWE.decrypt(jwe, irs_attempt_api_private_key)
+
       token = JSON.parse(decrypted_jwe_payload)
 
       expect(token['iss']).to eq('http://www.example.com/')