diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go
index 66c523dc..84887de6 100644
--- a/authority/provisioner/nebula.go
+++ b/authority/provisioner/nebula.go
@@ -2,6 +2,7 @@ package provisioner
 
 import (
 	"context"
+	"crypto/ecdh"
 	"crypto/ed25519"
 	"crypto/x509"
 	"encoding/base64"
@@ -338,9 +339,15 @@ func (p *Nebula) authorizeToken(token string, audiences []string) (*nebula.Nebul
 	}
 
 	var pub interface{}
-	if c.Details.IsCA {
+	switch {
+	case c.Details.Curve == nebula.Curve_P256:
+		// When Nebula is used with ECDSA P-256 keys, both CAs and clients use the same type.
+		if pub, err = ecdh.P256().NewPublicKey(c.Details.PublicKey); err != nil {
+			return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse nebula public key"))
+		}
+	case c.Details.IsCA:
 		pub = ed25519.PublicKey(c.Details.PublicKey)
-	} else {
+	default:
 		pub = x25519.PublicKey(c.Details.PublicKey)
 	}