diff --git a/lib/jwt/jwt.go b/lib/jwt/jwt.go
index 696b444e4b39c..e6b6b63b48a45 100644
--- a/lib/jwt/jwt.go
+++ b/lib/jwt/jwt.go
@@ -206,7 +206,13 @@ func (k *Key) Sign(p SignParams) (string, error) {
 		Traits:   p.Traits,
 	}
 
-	return k.sign(claims, nil)
+	// RFC 7517 requires that `kid` be present in the JWT header if there are multiple keys in the JWKS.
+	// We ignore the error because go-jose omits the kid if it is empty.
+	so := &jose.SignerOptions{}
+	if v, ok := k.config.PublicKey.(*rsa.PublicKey); ok {
+		so.WithHeader("kid", KeyID(v))
+	}
+	return k.sign(claims, so)
 }
 
 // awsOIDCCustomClaims defines the require claims for the JWT token used in AWS OIDC Integration.
diff --git a/lib/jwt/jwt_test.go b/lib/jwt/jwt_test.go
index 1c30979f8d406..5aafe35a5d27d 100644
--- a/lib/jwt/jwt_test.go
+++ b/lib/jwt/jwt_test.go
@@ -57,6 +57,13 @@ func TestSignAndVerify(t *testing.T) {
 	})
 	require.NoError(t, err)
 
+	//decode the signed token
+	decodedToken, err := josejwt.ParseSigned(token)
+	require.NoError(t, err)
+
+	// verify that the kid header is present, and not empty
+	require.NotEmpty(t, decodedToken.Headers[0].KeyID)
+
 	// Verify that the token can be validated and values match expected values.
 	claims, err := key.Verify(VerifyParams{
 		Username: "foo@example.com",