diff --git a/.changeset/blue-forks-cry.md b/.changeset/blue-forks-cry.md
new file mode 100644
index 0000000000..1bcc1d0b59
--- /dev/null
+++ b/.changeset/blue-forks-cry.md
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-backend-module-aws-alb-provider': patch
+---
+
+Fix a bug where the signer was checked from the payload instead of the header
diff --git a/plugins/auth-backend-module-aws-alb-provider/src/authenticator.test.ts b/plugins/auth-backend-module-aws-alb-provider/src/authenticator.test.ts
index c0e32d37a3..61c80c4b3c 100644
--- a/plugins/auth-backend-module-aws-alb-provider/src/authenticator.test.ts
+++ b/plugins/auth-backend-module-aws-alb-provider/src/authenticator.test.ts
@@ -35,7 +35,6 @@ describe('AwsAlbProvider', () => {
     email: 'user.name@email.test',
     exp: Date.now() + 10000,
     iss: 'ISSUER_URL',
-    signer: 'SIGNER_ARN',
   };
   const signingKey = new TextEncoder().encode('signingKey');
   let mockJwt: string;
@@ -78,7 +77,7 @@ describe('AwsAlbProvider', () => {
 
   beforeEach(async () => {
     mockJwt = await new SignJWT(mockClaims)
-      .setProtectedHeader({ alg: 'HS256' })
+      .setProtectedHeader({ alg: 'HS256', signer: 'SIGNER_ARN' })
       .sign(signingKey);
   });
 
@@ -206,8 +205,8 @@ describe('AwsAlbProvider', () => {
     });
 
     it('signer is invalid', async () => {
-      const jwt = await new SignJWT({ signer: 'INVALID_SIGNER_ARN' })
-        .setProtectedHeader({ alg: 'HS256' })
+      const jwt = await new SignJWT({})
+        .setProtectedHeader({ alg: 'HS256', signer: 'INVALID_SIGNER_ARN' })
         .sign(signingKey);
       const req = {
         header: jest.fn(name => {
diff --git a/plugins/auth-backend-module-aws-alb-provider/src/authenticator.ts b/plugins/auth-backend-module-aws-alb-provider/src/authenticator.ts
index f62fe4175b..8a32b05a92 100644
--- a/plugins/auth-backend-module-aws-alb-provider/src/authenticator.ts
+++ b/plugins/auth-backend-module-aws-alb-provider/src/authenticator.ts
@@ -15,7 +15,7 @@
  */
 
 import { AuthenticationError } from '@backstage/errors';
-import { AwsAlbClaims, AwsAlbResult } from './types';
+import { AwsAlbClaims, AwsAlbResult, AwsAlbProtectedHeader } from './types';
 import { jwtVerify } from 'jose';
 import {
   PassportProfile,
@@ -60,11 +60,12 @@ export const awsAlbAuthenticator = createProxyAuthenticator({
 
     try {
       const verifyResult = await jwtVerify(jwt, getKey);
+      const header = verifyResult.protectedHeader as AwsAlbProtectedHeader;
       const claims = verifyResult.payload as AwsAlbClaims;
 
       if (claims?.iss !== issuer) {
         throw new AuthenticationError('Issuer mismatch on JWT token');
-      } else if (signer && claims?.signer !== signer) {
+      } else if (signer && header?.signer !== signer) {
         throw new AuthenticationError('Signer mismatch on JWT token');
       }
 
diff --git a/plugins/auth-backend-module-aws-alb-provider/src/types.ts b/plugins/auth-backend-module-aws-alb-provider/src/types.ts
index 679535804e..b4c792a5f9 100644
--- a/plugins/auth-backend-module-aws-alb-provider/src/types.ts
+++ b/plugins/auth-backend-module-aws-alb-provider/src/types.ts
@@ -38,5 +38,10 @@ export type AwsAlbClaims = {
   email: string;
   exp: number;
   iss: string;
-  signer: string;
+};
+/**
+ * @internal
+ */
+export type AwsAlbProtectedHeader = {
+  signer?: string;
 };