diff --git a/src/Entities/AccessTokenEntity.php b/src/Entities/AccessTokenEntity.php
index 3e87935..9c077fe 100644
--- a/src/Entities/AccessTokenEntity.php
+++ b/src/Entities/AccessTokenEntity.php
@@ -21,6 +21,12 @@ class AccessTokenEntity implements AccessTokenEntityInterface {
   public function convertToJWT(CryptKey $privateKey) {
     $private_claims = [];
     \Drupal::moduleHandler()->alter('simple_oauth_private_claims', $private_claims, $this);
+    if (!is_array($private_claims)) {
+      $message = 'An implementation of hook_simple_oauth_private_claims_alter ';
+      $message .= 'returns an invalid $private_claims value. $private_claims ';
+      $message .= 'must be an array.';
+      throw new \InvalidArgumentException($message);
+    }
     $builder = (new Builder())
       ->setAudience($this->getClient()->getIdentifier())
       ->setId($this->getIdentifier(), TRUE)
@@ -30,14 +36,12 @@ class AccessTokenEntity implements AccessTokenEntityInterface {
       ->setSubject($this->getUserIdentifier())
       ->set('scopes', $this->getScopes());
 
-    if (!empty($private_claims)) {
-      foreach ($private_claims as $key => $value) {
-        $builder->set($key, $value);
-      }
+    foreach ($private_claims as $claim_name => $value) {
+      $builder->set($claim_name, $value);
     }
 
-    $token = $builder->sign(new Sha256(), new Key($privateKey->getKeyPath(), $privateKey->getPassPhrase()))
-      ->getToken();
+    $key = new Key($privateKey->getKeyPath(), $privateKey->getPassPhrase());
+    $token = $builder->sign(new Sha256(), $key)->getToken();
     return $token;
   }