diff --git a/token/jwt/jwt.go b/token/jwt/jwt.go
index 9c5aa5775..538287ade 100644
--- a/token/jwt/jwt.go
+++ b/token/jwt/jwt.go
@@ -48,8 +48,10 @@ func (j *DefaultSigner) Generate(ctx context.Context, claims MapClaims, header M
 
 	switch t := key.(type) {
 	case *jose.JSONWebKey:
+		header.Add("kid", t.KeyID)
 		return generateToken(claims, header, jose.SignatureAlgorithm(t.Algorithm), t)
 	case jose.JSONWebKey:
+		header.Add("kid", t.KeyID)
 		return generateToken(claims, header, jose.SignatureAlgorithm(t.Algorithm), t)
 	case *rsa.PrivateKey:
 		return generateToken(claims, header, jose.RS256, t)
diff --git a/token/jwt/jwt_test.go b/token/jwt/jwt_test.go
index 1939d7bba..597add2f1 100644
--- a/token/jwt/jwt_test.go
+++ b/token/jwt/jwt_test.go
@@ -21,6 +21,7 @@ import (
 var header = &Headers{
 	Extra: map[string]interface{}{
 		"foo": "bar",
+		"kid": "try-override-key-id",
 	},
 }