diff --git a/src/JWK.php b/src/JWK.php
index 405dcc49..d5175b21 100644
--- a/src/JWK.php
+++ b/src/JWK.php
@@ -52,7 +52,7 @@ class JWK
      *
      * @uses parseKey
      */
-    public static function parseKeySet(array $jwks, ?string $defaultAlg = null): array
+    public static function parseKeySet(#[\SensitiveParameter] array $jwks, ?string $defaultAlg = null): array
     {
         $keys = [];
 
@@ -93,7 +93,7 @@ public static function parseKeySet(array $jwks, ?string $defaultAlg = null): arr
      *
      * @uses createPemFromModulusAndExponent
      */
-    public static function parseKey(array $jwk, ?string $defaultAlg = null): ?Key
+    public static function parseKey(#[\SensitiveParameter] array $jwk, ?string $defaultAlg = null): ?Key
     {
         if (empty($jwk)) {
             throw new InvalidArgumentException('JWK must not be empty');
diff --git a/src/JWT.php b/src/JWT.php
index 5386b601..a2e4438a 100644
--- a/src/JWT.php
+++ b/src/JWT.php
@@ -95,7 +95,7 @@ class JWT
      */
     public static function decode(
         string $jwt,
-        $keyOrKeyArray,
+        #[\SensitiveParameter] $keyOrKeyArray,
         ?stdClass &$headers = null
     ): stdClass {
         // Validate JWT
@@ -208,7 +208,7 @@ public static function decode(
      */
     public static function encode(
         array $payload,
-        $key,
+        #[\SensitiveParameter] $key,
         string $alg,
         ?string $keyId = null,
         ?array $head = null
@@ -246,7 +246,7 @@ public static function encode(
      */
     public static function sign(
         string $msg,
-        $key,
+        #[\SensitiveParameter] $key,
         string $alg
     ): string {
         if (empty(static::$supported_algs[$alg])) {
@@ -313,7 +313,7 @@ public static function sign(
     private static function verify(
         string $msg,
         string $signature,
-        $keyMaterial,
+        #[\SensitiveParameter] $keyMaterial,
         string $alg
     ): bool {
         if (empty(static::$supported_algs[$alg])) {
@@ -467,7 +467,7 @@ public static function urlsafeB64Encode(string $input): string
      * @return Key
      */
     private static function getKey(
-        $keyOrKeyArray,
+        #[\SensitiveParameter] $keyOrKeyArray,
         ?string $kid
     ): Key {
         if ($keyOrKeyArray instanceof Key) {
diff --git a/src/Key.php b/src/Key.php
index b34eae25..4db94851 100644
--- a/src/Key.php
+++ b/src/Key.php
@@ -14,7 +14,7 @@ class Key
      * @param string $algorithm
      */
     public function __construct(
-        private $keyMaterial,
+        #[\SensitiveParameter] private $keyMaterial,
         private string $algorithm
     ) {
         if (