diff --git a/pom.xml b/pom.xml
index ed08a3d18..34858f85f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -47,6 +47,7 @@
 		<dagger.version>2.45</dagger.version>
 		<easybind.version>2.2</easybind.version>
 		<guava.version>32.0.0-jre</guava.version>
+		<jackson.version>2.15.2</jackson.version>
 		<gson.version>2.10.1</gson.version>
 		<javafx.version>20.0.1</javafx.version>
 		<jwt.version>4.4.0</jwt.version>
@@ -157,6 +158,11 @@
 			<artifactId>nimbus-jose-jwt</artifactId>
 			<version>${nimbus-jose.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-databind</artifactId>
+			<version>${jackson.version}</version>
+		</dependency>
 
 		<!-- EasyBind -->
 		<dependency>
@@ -206,7 +212,7 @@
 			<artifactId>dagger</artifactId>
 			<version>${dagger.version}</version>
 		</dependency>
-		<dependency>
+		<dependency> <!-- TODO replace with jackson -->
 			<groupId>com.google.code.gson</groupId>
 			<artifactId>gson</artifactId>
 			<version>${gson.version}</version>
diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java
index 41105ff15..2213ff0d9 100644
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -38,7 +38,8 @@ open module org.cryptomator.desktop {
 	requires ch.qos.logback.core;
 	requires com.auth0.jwt;
 	requires com.google.common;
-	requires com.google.gson;
+	requires com.fasterxml.jackson.databind;
+	requires com.google.gson; // TODO replace with jackson?
 	requires com.nimbusds.jose.jwt;
 	requires com.nulabinc.zxcvbn;
 	requires com.tobiasdiez.easybind;
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
index 7c2bc8be7..5f462b170 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
@@ -1,6 +1,9 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+
 // needs to be accessible by JSON decoder
+@JsonIgnoreProperties(ignoreUnknown = true)
 public class HubConfig {
 
 	public String clientId;
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/HubConfigTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/HubConfigTest.java
new file mode 100644
index 000000000..bb39516a0
--- /dev/null
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/HubConfigTest.java
@@ -0,0 +1,19 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.auth0.jwt.JWT;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+
+public class HubConfigTest {
+
+	@Test
+	@DisplayName("can parse JWT with unknown fields in header claim \"hub\"")
+	public void testParseJWTWithUnknownFields() {
+		var jwt = JWT.decode("eyJraWQiOiIxMjMiLCJ0eXAiOiJqd3QiLCJhbGciOiJIUzI1NiIsImh1YiI6eyJ1bmtub3duRmllbGQiOjQyLCJjbGllbnRJZCI6ImNyeXB0b21hdG9yIn19.eyJqdGkiOiI0NTYifQ.e1CStFf5fdh9ofX_6O8_LfbHfHEJZqUpuYNWz9xZp0I");
+		var claim = jwt.getHeaderClaim("hub");
+		var hubConfig = Assertions.assertDoesNotThrow(() -> claim.as(HubConfig.class));
+		Assertions.assertEquals("cryptomator", hubConfig.clientId);
+	}
+
+}
\ No newline at end of file