diff --git a/src/Codec.php b/src/Codec.php
index 2a98922..e83fbea 100644
--- a/src/Codec.php
+++ b/src/Codec.php
@@ -4,6 +4,8 @@
 
 namespace Firehed\JWT;
 
+use SensitiveParameter;
+
 /**
  * Convenience wrapper for key management. The intent is to set up an instance
  * of this class once in your application's DI container, and pass it around
@@ -29,8 +31,10 @@ public function encode(array $claims, $keyId = null): string
         return $jwt->getEncoded($keyId);
     }
 
-    public function decode(string $jwt): JWT
-    {
+    public function decode(
+        #[SensitiveParameter]
+        string $jwt
+    ): JWT {
         return JWT::fromEncoded($jwt, $this->keys);
     }
 }
diff --git a/src/JWT.php b/src/JWT.php
index fc4a5b8..957a022 100644
--- a/src/JWT.php
+++ b/src/JWT.php
@@ -8,6 +8,7 @@
 use Exception;
 use Firehed\Security\Secret;
 use RuntimeException;
+use SensitiveParameter;
 use UnexpectedValueException;
 
 class JWT
@@ -88,8 +89,11 @@ public function setKeys(KeyContainer $keys): self
         return $this;
     }
 
-    public static function fromEncoded(string $encoded, KeyContainer $keys): self
-    {
+    public static function fromEncoded(
+        #[SensitiveParameter]
+        string $encoded,
+        KeyContainer $keys
+    ): self {
         // This should exactly follow s7.2 of the IETF JWT spec
         $parts = explode('.', $encoded);
         if (3 !== count($parts)) {