diff --git a/app/services/irs_attempts_api/attempt_event.rb b/app/services/irs_attempts_api/attempt_event.rb
index 5e0f26aa737..4eb04d7fb3c 100644
--- a/app/services/irs_attempts_api/attempt_event.rb
+++ b/app/services/irs_attempts_api/attempt_event.rb
@@ -26,6 +26,7 @@ def to_jwe
         zip: 'DEF',
         alg: 'RSA-OAEP',
         enc: 'A256GCM',
+        kid: JWT::JWK.new(event_data_encryption_key).kid,
       )
     end
 
@@ -83,8 +84,10 @@ def event_data_encryption_key_id
     end
 
     def event_data_encryption_key
-      decoded_key_der = Base64.strict_decode64(IdentityConfig.store.irs_attempt_api_public_key)
-      OpenSSL::PKey::RSA.new(decoded_key_der)
+      @event_data_encryption_key ||= begin
+        decoded_key_der = Base64.strict_decode64(IdentityConfig.store.irs_attempt_api_public_key)
+        OpenSSL::PKey::RSA.new(decoded_key_der)
+      end
     end
   end
 end
diff --git a/spec/services/irs_attempts_api/attempt_event_spec.rb b/spec/services/irs_attempts_api/attempt_event_spec.rb
index 007dea255da..c075d89288e 100644
--- a/spec/services/irs_attempts_api/attempt_event_spec.rb
+++ b/spec/services/irs_attempts_api/attempt_event_spec.rb
@@ -36,6 +36,7 @@
       headers = JSON.parse(header_str)
 
       expect(headers['alg']).to eq('RSA-OAEP')
+      expect(headers['kid']).to eq(JWT::JWK.new(irs_attempt_api_public_key).kid)
 
       decrypted_jwe_payload = JWE.decrypt(jwe, irs_attempt_api_private_key)