diff --git a/core/common/lib/crypto-common-lib/build.gradle.kts b/core/common/lib/crypto-common-lib/build.gradle.kts
index 9e9d4cae950..2010c8e4bcf 100644
--- a/core/common/lib/crypto-common-lib/build.gradle.kts
+++ b/core/common/lib/crypto-common-lib/build.gradle.kts
@@ -18,10 +18,11 @@ plugins {
 dependencies {
     api(project(":spi:common:identity-did-spi"))
     api(project(":spi:common:identity-trust-spi"))
+    api(libs.nimbus.jwt) // nimbus classes are exposed on the API surface of CryptoConverter and DefaultJwsSignerProvider
     implementation(project(":core:common:lib:util-lib"))
     implementation(project(":spi:common:core-spi"))
+    implementation(project(":spi:common:jwt-signer-spi"))
 
-    implementation(libs.nimbus.jwt)
     // used for the Ed25519 Verifier in conjunction with OctetKeyPairs (OKP)
     runtimeOnly(libs.tink)
     // Java does not natively implement elliptic curve multiplication, so we need to get bouncy
diff --git a/core/common/lib/crypto-common-lib/src/main/java/org/eclipse/edc/security/token/jwt/DefaultJwsSignerProvider.java b/core/common/lib/crypto-common-lib/src/main/java/org/eclipse/edc/security/token/jwt/DefaultJwsSignerProvider.java
new file mode 100644
index 00000000000..417470ba1fa
--- /dev/null
+++ b/core/common/lib/crypto-common-lib/src/main/java/org/eclipse/edc/security/token/jwt/DefaultJwsSignerProvider.java
@@ -0,0 +1,39 @@
+/*
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.security.token.jwt;
+
+import com.nimbusds.jose.JWSSigner;
+import org.eclipse.edc.jwt.signer.spi.JwsSignerProvider;
+import org.eclipse.edc.keys.spi.PrivateKeyResolver;
+import org.eclipse.edc.spi.result.Result;
+
+/**
+ * Provides a {@link JWSSigner} that is created based on a private key's algorithm.
+ * Note that the private key will be held in memory for the duration of the instantiation of the {@link JWSSigner}.
+ */
+public class DefaultJwsSignerProvider implements JwsSignerProvider {
+
+    private final PrivateKeyResolver privateKeyResolver;
+
+    public DefaultJwsSignerProvider(PrivateKeyResolver privateKeyResolver) {
+        this.privateKeyResolver = privateKeyResolver;
+    }
+
+    @Override
+    public Result<JWSSigner> createJwsSigner(String privateKeyId) {
+        return privateKeyResolver.resolvePrivateKey(privateKeyId)
+                .compose(pk -> Result.ofThrowable(() -> CryptoConverter.createSignerFor(pk)));
+    }
+}
diff --git a/core/common/token-core/src/main/java/org/eclipse/edc/token/TokenServicesExtension.java b/core/common/token-core/src/main/java/org/eclipse/edc/token/TokenServicesExtension.java
index 3941cac5143..362e8dbf73b 100644
--- a/core/common/token-core/src/main/java/org/eclipse/edc/token/TokenServicesExtension.java
+++ b/core/common/token-core/src/main/java/org/eclipse/edc/token/TokenServicesExtension.java
@@ -19,8 +19,7 @@
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.runtime.metamodel.annotation.Provider;
-import org.eclipse.edc.security.token.jwt.CryptoConverter;
-import org.eclipse.edc.spi.result.Result;
+import org.eclipse.edc.security.token.jwt.DefaultJwsSignerProvider;
 import org.eclipse.edc.spi.system.ServiceExtension;
 import org.eclipse.edc.token.spi.TokenDecoratorRegistry;
 import org.eclipse.edc.token.spi.TokenValidationRulesRegistry;
@@ -57,7 +56,6 @@ public TokenDecoratorRegistry tokenDecoratorRegistry() {
     @Provider(isDefault = true)
     public JwsSignerProvider defaultSignerProvider() {
         // default implementation: resolve the private key (from vault of config) and create a JWSSigner based on its algorithm
-        return privateKeyId -> privateKeyResolver.resolvePrivateKey(privateKeyId)
-                .compose(pk -> Result.ofThrowable(() -> CryptoConverter.createSignerFor(pk)));
+        return new DefaultJwsSignerProvider(privateKeyResolver);
     }
 }