diff --git a/src/Server.hs b/src/Server.hs
index 855b1de..e6155b8 100644
--- a/src/Server.hs
+++ b/src/Server.hs
@@ -217,12 +217,12 @@ tokenEndpoint = provideToken
 
 mkToken :: AuthState -> IO JWTWrapper
 mkToken state = do
-  privateKey <- atomically $ readTVar state >>= return . privateKey
+  pubKey <- atomically $ readTVar state >>= return . publicKey
   now <- getCurrentTime
   let
     lifetime = nominalDay / 4 -- TODO make configurable
     jwt = JWT "Oauth2MockServer" (lifetime `addUTCTime` now)
-  encoded <- jwkEncode RSA_OAEP_256 A128GCM privateKey (Nested . Jwt . toStrict $ encode jwt)
+  encoded <- jwkEncode RSA_OAEP_256 A128GCM pubKey (Nested . Jwt . toStrict $ encode jwt)
   case encoded of
     Right (Jwt token) -> return $ JWTW (BS.unpack token) lifetime
     Left e -> error $ show e
@@ -265,8 +265,8 @@ userEndpoint = handleUserData
 
 decodeToken :: Text -> AuthState -> IO (Either JwtError JwtContent)
 decodeToken token state = do
-  pubKey <- atomically $ readTVar state >>= return . publicKey
-  jwkDecode pubKey $ encodeUtf8 token
+  prKey <- atomically $ readTVar state >>= return . privateKey
+  jwkDecode prKey $ encodeUtf8 token
 
 userListEndpoint :: forall user userData . UserData user userData => AuthServer (UserList userData)
 userListEndpoint = handleUserData