diff --git a/contrib/token-server/token.go b/contrib/token-server/token.go
index 917d6ee3e..6661ffcee 100644
--- a/contrib/token-server/token.go
+++ b/contrib/token-server/token.go
@@ -61,7 +61,7 @@ type TokenIssuer struct {
 	Expiration time.Duration
 }
 
-// CreateJWT creates and signs a JSON Web Token for the given account and
+// CreateJWT creates and signs a JSON Web Token for the given subject and
 // audience with the granted access.
 func (issuer *TokenIssuer) CreateJWT(subject string, audience string, grantedAccessList []auth.Access) (string, error) {
 	// Make a set of access entries to put in the token's claimset.
@@ -75,14 +75,14 @@ func (issuer *TokenIssuer) CreateJWT(subject string, audience string, grantedAcc
 		actionSet[access.Action] = struct{}{}
 	}
 
-	accessEntries := make([]token.ResourceActions, 0, len(resourceActionSets))
+	accessEntries := make([]*token.ResourceActions, 0, len(resourceActionSets))
 	for resource, actionSet := range resourceActionSets {
 		actions := make([]string, 0, len(actionSet))
 		for action := range actionSet {
 			actions = append(actions, action)
 		}
 
-		accessEntries = append(accessEntries, token.ResourceActions{
+		accessEntries = append(accessEntries, &token.ResourceActions{
 			Type:    resource.Type,
 			Name:    resource.Name,
 			Actions: actions,
@@ -109,15 +109,20 @@ func (issuer *TokenIssuer) CreateJWT(subject string, audience string, grantedAcc
 		panic(fmt.Errorf("unsupported signing key type %q", issuer.SigningKey.KeyType()))
 	}
 
-	joseHeader := map[string]interface{}{
-		"typ": "JWT",
-		"alg": alg,
+	joseHeader := token.Header{
+		Type:       "JWT",
+		SigningAlg: alg,
 	}
 
 	if x5c := issuer.SigningKey.GetExtendedField("x5c"); x5c != nil {
-		joseHeader["x5c"] = x5c
+		joseHeader.X5c = x5c.([]string)
 	} else {
-		joseHeader["jwk"] = issuer.SigningKey.PublicKey()
+		var jwkMessage json.RawMessage
+		jwkMessage, err = issuer.SigningKey.PublicKey().MarshalJSON()
+		if err != nil {
+			return "", err
+		}
+		joseHeader.RawJWK = &jwkMessage
 	}
 
 	exp := issuer.Expiration
@@ -125,16 +130,16 @@ func (issuer *TokenIssuer) CreateJWT(subject string, audience string, grantedAcc
 		exp = 5 * time.Minute
 	}
 
-	claimSet := map[string]interface{}{
-		"iss": issuer.Issuer,
-		"sub": subject,
-		"aud": audience,
-		"exp": now.Add(exp).Unix(),
-		"nbf": now.Unix(),
-		"iat": now.Unix(),
-		"jti": randomID,
+	claimSet := token.ClaimSet{
+		Issuer:     issuer.Issuer,
+		Subject:    subject,
+		Audience:   audience,
+		Expiration: now.Add(exp).Unix(),
+		NotBefore:  now.Unix(),
+		IssuedAt:   now.Unix(),
+		JWTID:      randomID,
 
-		"access": accessEntries,
+		Access: accessEntries,
 	}
 
 	var (