diff --git a/.github/workflows/integration-auth-tests.yml b/.github/workflows/integration-auth-tests.yml
index 447e8c3fa..ea3ff2b64 100644
--- a/.github/workflows/integration-auth-tests.yml
+++ b/.github/workflows/integration-auth-tests.yml
@@ -81,6 +81,7 @@ jobs:
           yq eval '.server.auth.provider_config.issuer = "${{ env.KUBERNETES_ISSUER }}"' -i $run_dir/run.yaml
           yq eval '.server.auth.provider_config.audience = "${{ env.KUBERNETES_AUDIENCE }}"' -i $run_dir/run.yaml
           yq eval '.server.auth.provider_config.jwks.uri = "${{ env.KUBERNETES_API_SERVER_URL }}"' -i $run_dir/run.yaml
+          yq eval '.server.auth.provider_config.jwks.token = "${{ env.TOKEN }}"' -i $run_dir/run.yaml
           cat $run_dir/run.yaml
 
           # avoid line breaks in the server log, especially because we grep it below.
diff --git a/llama_stack/core/server/auth_providers.py b/llama_stack/core/server/auth_providers.py
index 9908a3f65..b4ea9cdaa 100644
--- a/llama_stack/core/server/auth_providers.py
+++ b/llama_stack/core/server/auth_providers.py
@@ -124,11 +124,19 @@ class OAuth2TokenAuthProvider(AuthProvider):
                     )
                 # If verify_tls is True and no tls_cafile, ssl_context remains None (use system defaults)
 
+                # Prepare headers for JWKS request - this is needed for Kubernetes to authenticate
+                # to the JWK endpoint
+                headers = {}
+                if self.config.jwks.token:
+                    headers["Authorization"] = f"Bearer {self.config.jwks.token}"
+
+                # Create PyJWKClient with SSL context if supported
                 self._jwks_client = jwt.PyJWKClient(
                     self.config.jwks.uri,
                     cache_keys=True,
                     max_cached_keys=10,
                     lifespan=self.config.jwks.key_recheck_period,  # Use configurable period
+                    headers=headers,
                     ssl_context=ssl_context,
                 )
 
diff --git a/pyproject.toml b/pyproject.toml
index 82ee8af43..d55de794d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -34,7 +34,7 @@ dependencies = [
     "openai>=1.107",                                  # for expires_after support
     "prompt-toolkit",
     "python-dotenv",
-    "pyjwt[crypto]>=2.8.0",                           # Pull crypto to support RS256 for jwt.
+    "pyjwt[crypto]>=2.10.0",                          # Pull crypto to support RS256 for jwt. Requires 2.10.0+ for ssl_context support.
     "pydantic>=2.11.9",
     "rich",
     "starlette",
diff --git a/uv.lock b/uv.lock
index 724bda075..747e82aaa 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1898,7 +1898,7 @@ requires-dist = [
     { name = "pillow" },
     { name = "prompt-toolkit" },
     { name = "pydantic", specifier = ">=2.11.9" },
-    { name = "pyjwt", extras = ["crypto"], specifier = ">=2.8.0" },
+    { name = "pyjwt", extras = ["crypto"], specifier = ">=2.10.0" },
     { name = "python-dotenv" },
     { name = "python-multipart", specifier = ">=0.0.20" },
     { name = "rich" },