diff --git a/lib/jwt/jwt.go b/lib/jwt/jwt.go
index bae762d503b4f..95665407a54a1 100644
--- a/lib/jwt/jwt.go
+++ b/lib/jwt/jwt.go
@@ -216,7 +216,10 @@ func (k *Key) Sign(p SignParams) (string, error) {
 		Traits:   p.Traits,
 	}
 
-	return k.sign(claims, nil)
+	// RFC 7517 requires that `kid` be present in the JWT header if there are multiple keys in the JWKS.
+	// We ignore the error because go-jose omits the kid if it is empty.
+	kid, _ := KeyID(k.config.PublicKey)
+	return k.sign(claims, (&jose.SignerOptions{}).WithHeader("kid", kid))
 }
 
 // awsOIDCCustomClaims defines the require claims for the JWT token used in AWS OIDC Integration.
diff --git a/lib/jwt/jwt_test.go b/lib/jwt/jwt_test.go
index bd4a4f7f753d8..b9ab5cd17d622 100644
--- a/lib/jwt/jwt_test.go
+++ b/lib/jwt/jwt_test.go
@@ -61,6 +61,13 @@ func TestSignAndVerify(t *testing.T) {
 			})
 			require.NoError(t, err)
 
+			//decode the signed token
+			decodedToken, err := josejwt.ParseSigned(token)
+			require.NoError(t, err)
+
+			// verify that the kid header is present, and not empty
+			require.NotEmpty(t, decodedToken.Headers[0].KeyID)
+
 			// Verify that the token can be validated and values match expected values.
 			claims, err := key.Verify(VerifyParams{
 				Username: "foo@example.com",