diff --git a/integration/cluster.go b/integration/cluster.go
index 9944dc8bbfd..a1840f73409 100644
--- a/integration/cluster.go
+++ b/integration/cluster.go
@@ -107,6 +107,8 @@ var (
 		ClientCertAuth: true,
 	}
 
+	defaultTokenJWT = "jwt,pub-key=./fixtures/server.crt,priv-key=./fixtures/server.key.insecure,sign-method=RS256,ttl=1s"
+
 	lg = zap.NewNop()
 )
 
@@ -123,6 +125,8 @@ type ClusterConfig struct {
 
 	DiscoveryURL string
 
+	AuthToken string
+
 	UseGRPC bool
 
 	QuotaBackendBytes int64
@@ -272,6 +276,7 @@ func (c *cluster) mustNewMember(t *testing.T) *member {
 	m := mustNewMember(t,
 		memberConfig{
 			name:                     c.name(rand.Int()),
+			authToken:                c.cfg.AuthToken,
 			peerTLS:                  c.cfg.PeerTLS,
 			clientTLS:                c.cfg.ClientTLS,
 			quotaBackendBytes:        c.cfg.QuotaBackendBytes,
@@ -557,6 +562,7 @@ type memberConfig struct {
 	name                     string
 	peerTLS                  *transport.TLSInfo
 	clientTLS                *transport.TLSInfo
+	authToken                string
 	quotaBackendBytes        int64
 	maxTxnOps                uint
 	maxRequestBytes          uint
@@ -632,7 +638,13 @@ func mustNewMember(t *testing.T, mcfg memberConfig) *member {
 	if mcfg.snapshotCatchUpEntries != 0 {
 		m.SnapshotCatchUpEntries = mcfg.snapshotCatchUpEntries
 	}
-	m.AuthToken = "simple"              // for the purpose of integration testing, simple token is enough
+
+	// for the purpose of integration testing, simple token is enough
+	m.AuthToken = "simple"
+	if mcfg.authToken != "" {
+		m.AuthToken = mcfg.authToken
+	}
+
 	m.BcryptCost = uint(bcrypt.MinCost) // use min bcrypt cost to speedy up integration testing
 
 	m.grpcServerOpts = []grpc.ServerOption{}
diff --git a/integration/v3_auth_test.go b/integration/v3_auth_test.go
index 97017a07fae..bec4f8ae423 100644
--- a/integration/v3_auth_test.go
+++ b/integration/v3_auth_test.go
@@ -109,9 +109,19 @@ func TestV3AuthRevision(t *testing.T) {
 // TestV3AuthWithLeaseRevokeWithRoot ensures that granted leases
 // with root user be revoked after TTL.
 func TestV3AuthWithLeaseRevokeWithRoot(t *testing.T) {
+	testV3AuthWithLeaseRevokeWithRoot(t, ClusterConfig{Size: 1})
+}
+
+// TestV3AuthWithLeaseRevokeWithRootJWT creates a lease with a JWT-token enabled cluster.
+// And tests if server is able to revoke expiry lease item.
+func TestV3AuthWithLeaseRevokeWithRootJWT(t *testing.T) {
+	testV3AuthWithLeaseRevokeWithRoot(t, ClusterConfig{Size: 1, AuthToken: defaultTokenJWT})
+}
+
+func testV3AuthWithLeaseRevokeWithRoot(t *testing.T, ccfg ClusterConfig) {
 	defer testutil.AfterTest(t)
 
-	clus := NewClusterV3(t, &ClusterConfig{Size: 1})
+	clus := NewClusterV3(t, &ccfg)
 	defer clus.Terminate(t)
 
 	api := toGRPC(clus.Client(0))