diff --git a/ssi-ucan/src/error.rs b/ssi-ucan/src/error.rs
index d36cede58..553cc2eae 100644
--- a/ssi-ucan/src/error.rs
+++ b/ssi-ucan/src/error.rs
@@ -10,6 +10,8 @@ pub enum Error {
     VerificationMethodMismatch,
     #[error("Missing UCAN field, expected: '{0}'")]
     MissingUCANHeaderField(&'static str),
+    #[error("Header contains invalid fields")]
+    InvalidHeaderEntries(ssi_jws::Header),
     #[error("Invalid DID URL")]
     DIDURL,
     #[error(transparent)]
diff --git a/ssi-ucan/src/lib.rs b/ssi-ucan/src/lib.rs
index d50885237..009ba364c 100644
--- a/ssi-ucan/src/lib.rs
+++ b/ssi-ucan/src/lib.rs
@@ -133,10 +133,27 @@ impl<F, A> Ucan<F, A> {
             return Err(Error::MissingUCANHeaderField("type: JWT"));
         }
 
+        // header can only contain 'typ' and 'alg' fields
+        if parts.header
+            != (Header {
+                algorithm: parts.header.algorithm,
+                type_: Some("JWT".to_string()),
+                ..Default::default()
+            })
+        {
+            return Err(Error::InvalidHeaderEntries(parts.header));
+        };
+
+        // aud must be a DID
         if !payload.audience.starts_with("did:") {
             return Err(Error::DIDURL);
         }
 
+        // iss must be a DID
+        if !payload.issuer.starts_with("did:") {
+            return Err(Error::DIDURL);
+        }
+
         Ok(Self {
             header: parts.header,
             payload,