diff --git a/CHANGELOG.md b/CHANGELOG.md
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,12 @@
+0.3.1
+-----
+
+Changed the signature of `Jwt.encode` to take a list of `Jwk` rather than a single key. The key will be selected from
+the list based on the specified algorithms.
+
 0.3
 ---
 
 * New support for JWS validation using elliptic curve algorithms.
 * Added `Jwt.encode` function which takes a JWK argument, allowing key data (currently the key ID) to be encoded in the token header.
-
 
diff --git a/Jose/Jwt.hs b/Jose/Jwt.hs
--- a/Jose/Jwt.hs
+++ b/Jose/Jwt.hs
@@ -46,23 +46,28 @@
 import qualified Jose.Jwe as Jwe
 
 
--- | Use the supplied JWK to create a JWT.
+-- | Use the supplied JWKs to create a JWT.
+-- The list of keys will be searched to locate one which is
+-- consistent with the chosen algorithm.
 --
 encode :: (CPRG g)
        => g                               -- ^ Random number generator.
-       -> Jwk                             -- ^ The key. Must be consistent with the chosen algorithm
+       -> [Jwk]                           -- ^ The key or keys. At least one must be consistent with the chosen algorithm
        -> Alg                             -- ^ The JWS or JWE algorithm
        -> Maybe Enc                       -- ^ The payload encryption algorithm (if applicable)
        -> ByteString                      -- ^ The payload (claims)
-       -> (Either JwtError ByteString, g) -- ^ The encode JWT, if successful
-encode rng jwk alg enc msg = flip runState rng $ runEitherT $ case alg of
+       -> (Either JwtError ByteString, g) -- ^ The encoded JWT, if successful
+encode rng jwks alg enc msg = flip runState rng $ runEitherT $ case alg of
     Signed a    -> do
         unless (isNothing enc) $ left (BadAlgorithm "Enc cannot be set for a JWS")
-        hoistEither (validateForJws a jwk)
-        hoistEither =<< state (\g -> Jws.jwkEncode g a jwk msg)
-    Encrypted a -> case enc of
-        Nothing   -> left (BadAlgorithm "Enc must be supplied for a JWE")
-        Just e    -> hoistEither =<< state (\g -> Jwe.jwkEncode g a e jwk msg)
+        case findMatchingJwsKeys jwks (defJwsHdr { jwsAlg = a }) of
+            []     -> left (KeyError "No matching key found for JWS algorithm")
+            (k:_) -> hoistEither =<< state (\g -> Jws.jwkEncode g a k msg)
+    Encrypted a -> do
+        e <- hoistEither $ note (BadAlgorithm "Enc must be supplied for a JWE") enc
+        case findMatchingJweKeys jwks (defJweHdr { jweAlg = a, jweEnc = e }) of
+            []     -> left (KeyError "No matching key found for JWE algorithm")
+            (k:_) -> hoistEither =<< state (\g -> Jwe.jwkEncode g a e k msg)
 
 
 -- | Uses the supplied keys to decode a JWT.
@@ -98,9 +103,7 @@
     decodeWithJwe :: CPRG g => Jwk -> EitherT JwtError (State g) (Maybe Jwt)
     decodeWithJwe k = case k of
         RsaPrivateJwk kPr _ _ _ -> do
-            g <- lift get
-            let (e, g') = Jwe.rsaDecode g kPr jwt
-            lift $ put g'
+            e <- state (\g -> Jwe.rsaDecode g kPr jwt)
             either (const $ return Nothing) (return . Just . Jwe) e
         _                       -> left $ KeyError "Not a JWE key (shouldn't happen)"
 
diff --git a/jose-jwt.cabal b/jose-jwt.cabal
--- a/jose-jwt.cabal
+++ b/jose-jwt.cabal
@@ -1,5 +1,5 @@
 Name:               jose-jwt
-Version:            0.3
+Version:            0.3.1
 Synopsis:           JSON Object Signing and Encryption Library
 Homepage:           http://github.com/tekul/jose-jwt
 Bug-Reports:        http://github.com/tekul/jose-jwt/issues
@@ -7,7 +7,7 @@
     .
     Intended to provide support for the JOSE suite of IETF (draft)
     standards and the closely related JWT (JSON web token) spec
-    (<http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25/>).
+    (<http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32/>).
     .
     Both signed and encrypted JWTs are supported, as well as simple
     JWK format keys.
