diff --git a/Gemfile.lock b/Gemfile.lock
index 9fa290a1..286627f5 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -3,7 +3,7 @@ PATH
   specs:
     workos (5.26.0)
       encryptor (~> 3.0)
-      jwt (~> 2.8)
+      jwt (~> 3.1)
 
 GEM
   remote: https://rubygems.org/
@@ -11,7 +11,7 @@ GEM
     addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
-    base64 (0.2.0)
+    base64 (0.3.0)
     bigdecimal (3.1.7)
     crack (1.0.0)
       bigdecimal
@@ -20,7 +20,7 @@ GEM
     encryptor (3.0.0)
     hashdiff (1.1.0)
     json (2.9.1)
-    jwt (2.10.1)
+    jwt (3.1.2)
       base64
     language_server-protocol (3.17.0.3)
     parallel (1.26.3)
diff --git a/spec/lib/workos/session_spec.rb b/spec/lib/workos/session_spec.rb
index d0075650..3ff9c728 100644
--- a/spec/lib/workos/session_spec.rb
+++ b/spec/lib/workos/session_spec.rb
@@ -5,8 +5,8 @@
   let(:cookie_password) { 'test_very_long_cookie_password__' }
   let(:session_data) { 'test_session_data' }
   let(:jwks_url) { 'https://api.workos.com/sso/jwks/client_123' }
-  let(:jwks_hash) { '{"keys":[{"alg":"RS256","kty":"RSA","use":"sig","n":"test_n","e":"AQAB","kid":"sso_oidc_key_pair_123","x5c":["test"],"x5t#S256":"test"}]}' } # rubocop:disable all
   let(:jwk) { JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), { kid: 'sso_oidc_key_pair_123', use: 'sig', alg: 'RS256' }) }
+  let(:jwks_hash) { { keys: [jwk.export] }.to_json }
 
   before do
     allow(Net::HTTP).to receive(:get).and_return(jwks_hash)
diff --git a/workos.gemspec b/workos.gemspec
index b9f827a5..ca25c876 100644
--- a/workos.gemspec
+++ b/workos.gemspec
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_dependency 'encryptor', '~> 3.0'
-  spec.add_dependency 'jwt', '~> 2.8'
+  spec.add_dependency 'jwt', '~> 3.1'
 
   spec.add_development_dependency 'bundler', '>= 2.0.1'
   spec.add_development_dependency 'rspec', '~> 3.9.0'