diff --git a/DigitalData.Core.Security/Config/AsymCryptParams.cs b/DigitalData.Core.Security/Config/AsymCryptParams.cs
index 598ee96..95189d9 100644
--- a/DigitalData.Core.Security/Config/AsymCryptParams.cs
+++ b/DigitalData.Core.Security/Config/AsymCryptParams.cs
@@ -1,4 +1,5 @@
-using DigitalData.Core.Security.Cryptographer;
+using DigitalData.Core.Abstractions.Security;
+using DigitalData.Core.Security.Cryptographer;
 
 namespace DigitalData.Core.Security.Config
 {
@@ -59,7 +60,10 @@ namespace DigitalData.Core.Security.Config
 
         public RSADecryptor? Vault { get; init; }
 
-        public AsymCryptParams() => AfterCreate += () =>
+        public AsymCryptParams()
+        {
+            // init decryptors
+            AfterCreate += () =>
             {
                 // Create root folder if it does not exist
                 if (!Directory.Exists(PemDirectory))
@@ -94,5 +98,19 @@ namespace DigitalData.Core.Security.Config
                     }
                 }
             };
+
+            // set signing credentials of token descriptions
+            AfterCreate += () =>
+            {
+                foreach(var tDesc in TokenDescriptions)
+                {
+                    if (!Decryptors.TryGet(issuer: tDesc.Issuer, tDesc.Audience, out var decryptor) || decryptor is null)
+                        throw new InvalidOperationException(
+                            $"Decryptor for Issuer '{tDesc.Issuer}' and Audience '{tDesc.Audience}' could not be found or is null.");
+
+                    tDesc.SigningCredentials = decryptor.CreateSigningCredentials(algorithm: tDesc.SigningAlgorithm, digest: tDesc.SigningDigest);
+                }
+            };
+        }
     }
 }
\ No newline at end of file
diff --git a/DigitalData.Core.Security/Config/TokenDescription.cs b/DigitalData.Core.Security/Config/TokenDescription.cs
index a039eba..9c357aa 100644
--- a/DigitalData.Core.Security/Config/TokenDescription.cs
+++ b/DigitalData.Core.Security/Config/TokenDescription.cs
@@ -69,5 +69,22 @@ namespace DigitalData.Core.Security.Config
         /// </remarks>
         /// </summary>
         public IDictionary<string, object> AdditionalInnerHeaderClaims { get; set; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="SigningCredentials"/> used to create a security token.
+        /// </summary>
+        public SigningCredentials SigningCredentials { get; set; }
+
+        /// <summary>
+        /// Specifies the signature algorithm to be applied to the <see cref="SigningCredentials"/>.
+        /// Default is <see cref="SecurityAlgorithms.RsaSha256"/>.
+        /// </summary>
+        public string SigningAlgorithm { get; init; } = SecurityAlgorithms.RsaSha256;
+
+        /// <summary>
+        /// Optionally specifies the digest algorithm to be applied during the signing process for the <see cref="SigningCredentials"/>.
+        /// If not provided, the default algorithm is used.
+        /// </summary>
+        public string? SigningDigest = null;
     }
 }
\ No newline at end of file