diff --git a/app/models/certificate.rb b/app/models/certificate.rb
index 5754c1590..5bea31b2a 100644
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@@ -193,6 +193,7 @@ def token_for_valid_certificate(extra)
         subject: subject_s,
         issuer: issuer.to_s,
         uuid: piv.uuid,
+        key_id: key_id,
       )
     )
   end
diff --git a/spec/controllers/identify_controller_spec.rb b/spec/controllers/identify_controller_spec.rb
index 0a122df50..eecd5d35c 100644
--- a/spec/controllers/identify_controller_spec.rb
+++ b/spec/controllers/identify_controller_spec.rb
@@ -135,7 +135,7 @@
             allow(OcspService).to receive(:new).and_return(ocsp_responder)
           end
 
-          it 'returns a token with a uuid and subject and logs certificate metadata' do
+          it 'returns a token with a uuid, subject, key id, and logs certificate metadata' do
             allow(IdentityConfig.store).to receive(:client_cert_escaped).and_return(true)
 
             cert = Certificate.new(client_cert)
@@ -169,6 +169,7 @@
             expect(token).to be_truthy
 
             expect(token_contents['nonce']).to eq '123'
+            expect(token_contents['key_id']).to eq(cert.key_id)
 
             # N.B.: we do this split/sort because DNs match without respect to
             # ordering of components. OpenSSL::X509::Name doesn't match correctly.