diff --git a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java
index 6bdc6ab1eb3ed..0a56c1763ea66 100644
--- a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java
+++ b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java
@@ -232,6 +232,12 @@ public static class Jwt {
             @ConfigItem(defaultValue = "password")
             public String keyPassword;
 
+            /**
+             * Key identifier of the signing key added as a JWT 'kid' header
+             */
+            @ConfigItem
+            public Optional<String> tokenKeyId = Optional.empty();
+
             /**
              * JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time.
              */
diff --git a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java
index 853626712179c..86e166bd024d4 100644
--- a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java
+++ b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java
@@ -20,7 +20,7 @@
 import io.quarkus.runtime.TlsConfig;
 import io.quarkus.runtime.configuration.ConfigurationException;
 import io.smallrye.jwt.build.Jwt;
-import io.smallrye.jwt.build.JwtClaimsBuilder;
+import io.smallrye.jwt.build.JwtSignatureBuilder;
 import io.smallrye.jwt.util.KeyUtils;
 import io.smallrye.jwt.util.ResourceUtils;
 import io.vertx.core.http.HttpClientOptions;
@@ -220,11 +220,15 @@ public static String signJwt(OidcCommonConfig oidcConfig) {
 
     public static String signJwtWithKey(OidcCommonConfig oidcConfig, Key key) {
         // 'jti' and 'iat' claim is created by default, iat - is set to the current time
-        JwtClaimsBuilder builder = Jwt
+        JwtSignatureBuilder builder = Jwt
                 .issuer(oidcConfig.clientId.get())
                 .subject(oidcConfig.clientId.get())
                 .audience(getAuthServerUrl(oidcConfig))
-                .expiresIn(oidcConfig.credentials.jwt.lifespan);
+                .expiresIn(oidcConfig.credentials.jwt.lifespan)
+                .jws();
+        if (oidcConfig.credentials.jwt.tokenKeyId.isPresent()) {
+            builder.keyId(oidcConfig.credentials.jwt.tokenKeyId.get());
+        }
         if (key instanceof SecretKey) {
             return builder.sign((SecretKey) key);
         } else {