diff --git a/zsshlib/authenticate.go b/zsshlib/authenticate.go
index 24749fb..1411bd8 100644
--- a/zsshlib/authenticate.go
+++ b/zsshlib/authenticate.go
@@ -51,6 +51,7 @@ func NewContext(flags *SshFlags, enableMfaListener bool) ziti.Context {
 			ZtAPI:       ozController + "/edge/client/v1",
 			Credentials: credentials,
 		}
+		credentials.AddJWT(oidcToken) // satisfy the ext-jwt-auth primary + secondary
 		cfg.ConfigTypes = append(cfg.ConfigTypes, "all")
 
 		c, ctxErr := ziti.NewContext(cfg)
diff --git a/zsshlib/ssh.go b/zsshlib/ssh.go
index e3ae105..45db13a 100644
--- a/zsshlib/ssh.go
+++ b/zsshlib/ssh.go
@@ -305,6 +305,10 @@ func sshAuthMethodFromFile(keyPath string) (ssh.AuthMethod, error) {
 	if err != nil {
 		return nil, fmt.Errorf("could not read zssh file [%s]: %w", keyPath, err)
 	}
+	_, _, _, _, pubkeyErr := ssh.ParseAuthorizedKey(content)
+	if pubkeyErr == nil {
+		log.Fatal("the provided key for ssh authentication is a public key, but a private key is required")
+	}
 
 	if signer, err := ssh.ParsePrivateKey(content); err == nil {
 		return ssh.PublicKeys(signer), nil