diff --git a/src/api/client/session/jwt.rs b/src/api/client/session/jwt.rs
index 60839aa4..90bdbe50 100644
--- a/src/api/client/session/jwt.rs
+++ b/src/api/client/session/jwt.rs
@@ -66,16 +66,19 @@ fn validate(config: &JwtConfig, token: &str) -> Result<Claim> {
 
 fn init_verifier(config: &JwtConfig) -> Result<DecodingKey> {
 	let key = &config.key;
-	let format = config.format.as_str();
+	let format = config.format.to_uppercase();
 
-	Ok(match format {
+	Ok(match format.as_str() {
 		| "HMAC" => DecodingKey::from_secret(key.as_bytes()),
 
 		| "HMACB64" => DecodingKey::from_base64_secret(key.as_str())
 			.map_err(|e| err!(Config("jwt.key", "JWT key is not valid base64: {e}")))?,
 
 		| "ECDSA" => DecodingKey::from_ec_pem(key.as_bytes())
-			.map_err(|e| err!(Config("jwt.key", "JWT key is not valid PEM: {e}")))?,
+			.map_err(|e| err!(Config("jwt.key", "JWT key is not valid ECDSA PEM: {e}")))?,
+
+		| "EDDSA" => DecodingKey::from_ed_pem(key.as_bytes())
+			.map_err(|e| err!(Config("jwt.key", "JWT key is not valid EDDSA PEM: {e}")))?,
 
 		| _ => return Err!(Config("jwt.format", "Key format {format:?} is not supported.")),
 	})
diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs
index 3eb9e555..13d29f5a 100644
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@@ -2422,6 +2422,7 @@ pub struct JwtConfig {
 	/// - HMAC is a plaintext shared-secret private-key.
 	/// - B64HMAC is a base64-encoded version of HMAC.
 	/// - ECDSA is a PEM-encoded public-key.
+	/// - EDDSA is a PEM-encoded Ed25519 public-key.
 	///
 	/// default: "HMAC"
 	#[serde(default = "default_jwt_format")]
diff --git a/tuwunel-example.toml b/tuwunel-example.toml
index b57acf56..781b2852 100644
--- a/tuwunel-example.toml
+++ b/tuwunel-example.toml
@@ -2064,6 +2064,7 @@
 # - HMAC is a plaintext shared-secret private-key.
 # - B64HMAC is a base64-encoded version of HMAC.
 # - ECDSA is a PEM-encoded public-key.
+# - EDDSA is a PEM-encoded Ed25519 public-key.
 #
 #format = "HMAC"