diff --git a/internal/api/token.go b/internal/api/token.go
index 0cee6c277..f65ec9a67 100644
--- a/internal/api/token.go
+++ b/internal/api/token.go
@@ -379,8 +379,9 @@ func (a *API) generateAccessToken(r *http.Request, tx *storage.Connection, user
 	}
 
 	if _, ok := token.Header["kid"]; !ok {
-		kid := signingJwk.KeyID()
-		token.Header["kid"] = kid
+		if kid := signingJwk.KeyID(); kid != "" {
+			token.Header["kid"] = kid
+		}
 	}
 
 	// this serializes the aud claim to a string
diff --git a/internal/conf/configuration.go b/internal/conf/configuration.go
index 2b50606ac..9ead9b37c 100644
--- a/internal/conf/configuration.go
+++ b/internal/conf/configuration.go
@@ -743,11 +743,7 @@ func (config *GlobalConfiguration) ApplyDefaults() error {
 
 	if config.JWT.Keys == nil || len(config.JWT.Keys) == 0 {
 		// transform the secret into a JWK for consistency
-		bytes, err := base64.StdEncoding.DecodeString(config.JWT.Secret)
-		if err != nil {
-			bytes = []byte(config.JWT.Secret)
-		}
-		privKey, err := jwk.FromRaw(bytes)
+		privKey, err := jwk.FromRaw([]byte(config.JWT.Secret))
 		if err != nil {
 			return err
 		}