diff --git a/yletunnus/backends.py b/yletunnus/backends.py
index 64159ada..8f25981d 100644
--- a/yletunnus/backends.py
+++ b/yletunnus/backends.py
@@ -31,5 +31,8 @@ def get_user_details(self, response):
         }
 
     def user_data(self, access_token, *args, **kwargs):
-        data = jwt.decode(access_token, secret=self.setting('SECRET'), verify=False)
+        data = jwt.decode(
+            access_token, key=self.setting('SECRET'), algorithms=('HS256', 'HS512'),
+            verify=True, issuer='https://auth.api.yle.fi', audience=self.setting('KEY')
+        )
         return data
diff --git a/yletunnus/tests/test_backend.py b/yletunnus/tests/test_backend.py
index 0d6828c0..dc389aad 100644
--- a/yletunnus/tests/test_backend.py
+++ b/yletunnus/tests/test_backend.py
@@ -12,7 +12,7 @@
 
 
 class YleTunnusOAuth2Test(OAuth2Test):
-    client_key = 'a-key'
+    client_key = 'a-client-id'
     client_secret = 'a-secret-key'
 
     backend_path = 'yletunnus.backends.YleTunnusOAuth2'
@@ -69,8 +69,8 @@ def prepare_access_token_body(self, client_key=None, tamper_message=False,
             timegm(issue_datetime.utctimetuple())
         )
 
-        key = SYMKey(key=self.client_key, alg='HS512')
-        body['access_token'] = JWS(id_token, jwk=key, alg='HS512').sign_compact()
+        key = SYMKey(key=self.client_secret, alg='HS256')
+        body['access_token'] = JWS(id_token, jwk=key, alg='HS256').sign_compact()
         if tamper_message:
             header, msg, sig = body['id_token'].split('.')
             id_token['sub'] = '1235'