diff --git a/config/runtime.exs b/config/runtime.exs
index 5f31d2f..0a34ad2 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -20,6 +20,9 @@ if System.get_env("PHX_SERVER") do
   config :comfycamp, ComfycampWeb.Endpoint, server: true
 end
 
+config :comfycamp,
+  jwt_secret: System.get_env("JWT_SECRET")
+
 if config_env() == :prod do
   database_url =
     System.get_env("DATABASE_URL") ||
diff --git a/lib/comfycamp/token.ex b/lib/comfycamp/token.ex
index 6ce97c7..88671f3 100644
--- a/lib/comfycamp/token.ex
+++ b/lib/comfycamp/token.ex
@@ -1,3 +1,9 @@
 defmodule Comfycamp.Token do
   use Joken.Config
+
+  def sign(claims) do
+    secret = Application.fetch_env!(:comfycamp, :jwt_secret)
+    signer = Joken.Signer.create("HS256", secret)
+    Joken.Signer.sign(claims, signer)
+  end
 end
diff --git a/lib/comfycamp_web/controllers/oauth_controller.ex b/lib/comfycamp_web/controllers/oauth_controller.ex
index 7516102..23d9ec3 100644
--- a/lib/comfycamp_web/controllers/oauth_controller.ex
+++ b/lib/comfycamp_web/controllers/oauth_controller.ex
@@ -99,7 +99,7 @@ defmodule ComfycampWeb.OauthController do
     {access_token, refresh_token} = Accounts.generate_oauth_tokens(code.user)
 
     id_token = IDToken.build_id_token(code.user, oidc_app.client_id)
-    {:ok, signed_id_token, _claims} = Token.generate_and_sign(id_token)
+    signed_id_token = Token.sign(id_token)
 
     render(conn, :token,
       access_token: access_token,