diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
index 67893912c..a4359dae6 100644
--- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
+++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
@@ -201,15 +201,14 @@ create2(#{use_jwks := false,
           secret := Secret0,
           secret_base64_encoded := Base64Encoded,
           verify_claims := VerifyClaims}) ->
-    Secret = case Base64Encoded of
-                 true ->
-                     base64:decode(Secret0);
-                 false ->
-                     Secret0
-             end,
-    JWK = jose_jwk:from_oct(Secret),
-    {ok, #{jwk => JWK,
-           verify_claims => VerifyClaims}};
+    case may_decode_secret(Base64Encoded, Secret0) of
+        {error, Reason} ->
+            {error, Reason};
+        Secret ->
+            JWK = jose_jwk:from_oct(Secret),
+            {ok, #{jwk => JWK,
+                verify_claims => VerifyClaims}}
+    end;                                                                                           
 
 create2(#{use_jwks := false,
           algorithm := 'public-key',
@@ -234,6 +233,14 @@ create2(#{use_jwks := true,
             {error, Reason}
     end.
 
+may_decode_secret(false, Secret) -> Secret;
+may_decode_secret(true, Secret) ->
+    try base64:decode(Secret)
+    catch
+        error : _ ->
+            {error, {invalid_parameter, Secret}}
+    end.
+
 replace_placeholder(L, Variables) ->
     replace_placeholder(L, Variables, []).