diff --git a/changelog/unreleased/signing-keys-opaqueid b/changelog/unreleased/signing-keys-opaqueid
new file mode 100644
index 0000000000..6f8b3b70cf
--- /dev/null
+++ b/changelog/unreleased/signing-keys-opaqueid
@@ -0,0 +1,8 @@
+Bugfix: Use opaque ID of a user for signing keys
+
+OCIS switched from user the user's opaque ID (UUID) everywhere,
+so to keep compatible we have adjusted the signing keys endpoint
+to also use the UUID when storing and generating the keys.
+
+https://github.com/owncloud/ocis/issues/436
+https://github.com/owncloud/ocis-ocs/pull/32
diff --git a/pkg/service/v0/users.go b/pkg/service/v0/users.go
index 0a71607cbb..aef9ae5b7b 100644
--- a/pkg/service/v0/users.go
+++ b/pkg/service/v0/users.go
@@ -261,17 +261,20 @@ func (o Ocs) GetSigningKey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// use the user's UUID
+	userID := u.Id.OpaqueId
+
 	c := storepb.NewStoreService("com.owncloud.api.store", grpc.NewClient())
 	res, err := c.Read(r.Context(), &storepb.ReadRequest{
 		Options: &storepb.ReadOptions{
 			Database: "proxy",
 			Table:    "signing-keys",
 		},
-		Key: u.Username,
+		Key: userID,
 	})
 	if err == nil && len(res.Records) > 0 {
 		render.Render(w, r, response.DataRender(&data.SigningKey{
-			User:       u.Username,
+			User:       userID,
 			SigningKey: string(res.Records[0].Value),
 		}))
 		return
@@ -279,10 +282,8 @@ func (o Ocs) GetSigningKey(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		e := merrors.Parse(err.Error())
 		if e.Code == http.StatusNotFound {
-			//o.logger.Debug().Str("username", u.Username).Msg("signing key not found")
 			// not found is ok, so we can continue and generate the key on the fly
 		} else {
-			//o.logger.Err(err).Msg("error reading from store")
 			render.Render(w, r, response.ErrRender(data.MetaServerError.StatusCode, "error reading from store"))
 			return
 		}
@@ -292,7 +293,6 @@ func (o Ocs) GetSigningKey(w http.ResponseWriter, r *http.Request) {
 	key := make([]byte, 64)
 	_, err = rand.Read(key[:])
 	if err != nil {
-		//o.logger.Error().Err(err).Msg("could not generate signing key")
 		render.Render(w, r, response.ErrRender(data.MetaServerError.StatusCode, "could not generate signing key"))
 		return
 	}
@@ -304,7 +304,7 @@ func (o Ocs) GetSigningKey(w http.ResponseWriter, r *http.Request) {
 			Table:    "signing-keys",
 		},
 		Record: &storepb.Record{
-			Key:   u.Username,
+			Key:   userID,
 			Value: []byte(signingKey),
 			// TODO Expiry?
 		},
@@ -317,7 +317,7 @@ func (o Ocs) GetSigningKey(w http.ResponseWriter, r *http.Request) {
 	}
 
 	render.Render(w, r, response.DataRender(&data.SigningKey{
-		User:       u.Username,
+		User:       userID,
 		SigningKey: signingKey,
 	}))
 }