diff --git a/services/src/main/java/org/keycloak/jose/jws/DefaultTokenManager.java b/services/src/main/java/org/keycloak/jose/jws/DefaultTokenManager.java
index 9cb3c71952b..4efefe2d3ed 100644
--- a/services/src/main/java/org/keycloak/jose/jws/DefaultTokenManager.java
+++ b/services/src/main/java/org/keycloak/jose/jws/DefaultTokenManager.java
@@ -244,7 +244,7 @@ public class DefaultTokenManager implements TokenManager {
         switch (category) {
             case ACCESS:
                 ClientModel client = session.getContext().getClient();
-                return OIDCAdvancedConfigWrapper.fromClientModel(client).isUseRfc9068AccessTokenHeaderType()
+                return client != null && OIDCAdvancedConfigWrapper.fromClientModel(client).isUseRfc9068AccessTokenHeaderType()
                     ? TokenUtil.TOKEN_TYPE_JWT_ACCESS_TOKEN
                     : "JWT";
             case LOGOUT: