diff --git a/src/util/config/types/SecurityConfiguration.ts b/src/util/config/types/SecurityConfiguration.ts
index 078b90459..1f3a19181 100644
--- a/src/util/config/types/SecurityConfiguration.ts
+++ b/src/util/config/types/SecurityConfiguration.ts
@@ -24,7 +24,7 @@ export class SecurityConfiguration {
 	twoFactor: TwoFactorConfiguration = new TwoFactorConfiguration();
 	autoUpdate: boolean | number = true;
 	requestSignature: string = crypto.randomBytes(32).toString("base64");
-	jwtSecret: string = crypto.randomBytes(256).toString("base64"); // deprecated
+	jwtSecret: string | null = null;
 	// header to get the real user ip address
 	// X-Forwarded-For for nginx/reverse proxies
 	// CF-Connecting-IP for cloudflare
diff --git a/src/util/util/Token.ts b/src/util/util/Token.ts
index db2a313b9..9e071ed98 100644
--- a/src/util/util/Token.ts
+++ b/src/util/util/Token.ts
@@ -104,8 +104,8 @@ export const checkToken = (
 		if (!dec) return reject("Could not parse token");
 		logAuth("Decoded token: " + JSON.stringify(dec));
 
-		if (dec.header.alg == "HS256") {
-			jwt.verify(token, Config.get().security.jwtSecret, JWTOptions, validateUser);
+		if (dec.header.alg == "HS256" && Config.get().security.jwtSecret !== null) {
+			jwt.verify(token, Config.get().security.jwtSecret!, JWTOptions, validateUser);
 		} else if (dec.header.alg == "ES512") {
 			loadOrGenerateKeypair().then((keyPair) => {
 				jwt.verify(token, keyPair.publicKey, { algorithms: ["ES512"] }, validateUser);
diff --git a/src/util/util/WebAuthn.ts b/src/util/util/WebAuthn.ts
index a746f3646..d499097d9 100644
--- a/src/util/util/WebAuthn.ts
+++ b/src/util/util/WebAuthn.ts
@@ -19,13 +19,14 @@
 import { Fido2Lib } from "fido2-lib";
 import jwt from "jsonwebtoken";
 import { Config } from "./Config";
+import { loadOrGenerateKeypair } from "./Token";
 
 const jwtSignOptions: jwt.SignOptions = {
-	algorithm: "HS256",
+	algorithm: "ES512",
 	expiresIn: "5m",
 };
 const jwtVerifyOptions: jwt.VerifyOptions = {
-	algorithms: ["HS256"],
+	algorithms: ["ES512"],
 };
 
 export const WebAuthn: {
@@ -44,28 +45,32 @@ export async function generateWebAuthnTicket(
 	challenge: string,
 ): Promise<string> {
 	return new Promise((res, rej) => {
-		jwt.sign(
-			{ challenge },
-			Config.get().security.jwtSecret,
-			jwtSignOptions,
-			(err, token) => {
-				if (err || !token) return rej(err || "no token");
-				return res(token);
-			},
+		loadOrGenerateKeypair().then(kp=>
+			jwt.sign(
+				{ challenge },
+				kp.privateKey,
+				jwtSignOptions,
+				(err, token) => {
+					if (err || !token) return rej(err || "no token");
+					return res(token);
+				},
+			)
 		);
 	});
 }
 
 export async function verifyWebAuthnToken(token: string) {
 	return new Promise((res, rej) => {
-		jwt.verify(
-			token,
-			Config.get().security.jwtSecret,
-			jwtVerifyOptions,
-			async (err, decoded) => {
-				if (err) return rej(err);
-				return res(decoded);
-			},
+		loadOrGenerateKeypair().then(kp=>
+			jwt.verify(
+				token,
+				kp.publicKey,
+				jwtVerifyOptions,
+				async (err, decoded) => {
+					if (err) return rej(err);
+					return res(decoded);
+				},
+			)
 		);
 	});
 }