diff --git a/mock/src/main/java/com/tngtech/keycloakmock/impl/TokenGenerator.java b/mock/src/main/java/com/tngtech/keycloakmock/impl/TokenGenerator.java
index c4d93cd..f6579dd 100644
--- a/mock/src/main/java/com/tngtech/keycloakmock/impl/TokenGenerator.java
+++ b/mock/src/main/java/com/tngtech/keycloakmock/impl/TokenGenerator.java
@@ -39,7 +39,9 @@ public String getToken(
       @Nonnull TokenConfig tokenConfig, @Nonnull UrlConfiguration requestConfiguration) {
     JwtBuilder builder =
         Jwts.builder()
+            .setHeaderParam("alg", algorithm.getValue())
             .setHeaderParam("kid", keyId)
+            .setHeaderParam("typ", "JWT")
             // since the specification allows for more than one audience, but JJWT only accepts
             // one (see https://github.com/jwtk/jjwt/issues/77), use a workaround here
             .claim("aud", tokenConfig.getAudience())
diff --git a/mock/src/test/java/com/tngtech/keycloakmock/impl/TokenGeneratorTest.java b/mock/src/test/java/com/tngtech/keycloakmock/impl/TokenGeneratorTest.java
index 00a4df1..a2b9374 100644
--- a/mock/src/test/java/com/tngtech/keycloakmock/impl/TokenGeneratorTest.java
+++ b/mock/src/test/java/com/tngtech/keycloakmock/impl/TokenGeneratorTest.java
@@ -110,7 +110,10 @@ void config_is_correctly_applied() {
     verify(urlConfiguration).forRequestContext(HOSTNAME, REALM);
     Jwt<Header<?>, Claims> jwt =
         Jwts.parserBuilder().setSigningKey(signatureComponent.publicKey()).build().parse(token);
-    assertThat(jwt.getHeader()).containsEntry("kid", "keyId");
+    assertThat(jwt.getHeader())
+        .containsEntry("alg", "RS256")
+        .containsEntry("kid", "keyId")
+        .containsEntry("typ", "JWT");
     Claims claims = jwt.getBody();
 
     assertThat(claims).isEqualTo(generator.parseToken(token));
@@ -158,7 +161,10 @@ void user_data_is_not_generated() {
 
     Jwt<Header<?>, Claims> jwt =
         Jwts.parserBuilder().setSigningKey(signatureComponent.publicKey()).build().parse(token);
-    assertThat(jwt.getHeader()).containsEntry("kid", "keyId");
+    assertThat(jwt.getHeader())
+        .containsEntry("alg", "RS256")
+        .containsEntry("kid", "keyId")
+        .containsEntry("typ", "JWT");
     Claims claims = jwt.getBody();
 
     assertThat(claims.getSubject()).isEqualTo("foo.bar");
@@ -176,7 +182,10 @@ void user_data_is_generated() {
 
     Jwt<Header<?>, Claims> jwt =
         Jwts.parserBuilder().setSigningKey(signatureComponent.publicKey()).build().parse(token);
-    assertThat(jwt.getHeader()).containsEntry("kid", "keyId");
+    assertThat(jwt.getHeader())
+        .containsEntry("alg", "RS256")
+        .containsEntry("kid", "keyId")
+        .containsEntry("typ", "JWT");
     Claims claims = jwt.getBody();
 
     assertThat(claims.getSubject()).isEqualTo("foo.bar");
@@ -205,7 +214,10 @@ void explicit_user_data_takes_preference() {
 
     Jwt<Header<?>, Claims> jwt =
         Jwts.parserBuilder().setSigningKey(signatureComponent.publicKey()).build().parse(token);
-    assertThat(jwt.getHeader()).containsEntry("kid", "keyId");
+    assertThat(jwt.getHeader())
+        .containsEntry("alg", "RS256")
+        .containsEntry("kid", "keyId")
+        .containsEntry("typ", "JWT");
     Claims claims = jwt.getBody();
 
     assertThat(claims.getSubject()).isEqualTo("foo.bar");