diff --git a/server/auth/jwt_test.go b/server/auth/jwt_test.go
index 374db63c6224..8cdc1abbb020 100644
--- a/server/auth/jwt_test.go
+++ b/server/auth/jwt_test.go
@@ -18,7 +18,9 @@ import (
 	"context"
 	"fmt"
 	"testing"
+	"time"
 
+	jwt "github.com/golang-jwt/jwt/v4"
 	"go.uber.org/zap"
 )
 
@@ -155,10 +157,43 @@ func testJWTNoUsernameRevisionInfo(t *testing.T, opts map[string]string, flag st
 
 	ctx := context.TODO()
 
-	ai, ok := jwt.info(ctx, "aaa", 120)
+	token, aerr := jwt.testNoDataAssign(ctx)
+	if aerr != nil {
+		t.Fatalf("%#v", aerr)
+	}
+
+	ai, ok := jwt.info(ctx, token, 120)
 	if ok || ai != nil {
-		t.Fatalf("expected aaa to fail to authenticate, got %+v", ai)
+		t.Fatalf("expected empty token to fail to authenticate, got %+v", ai)
+	}
+}
+
+func (t *tokenJWT) testNoDataAssign(ctx context.Context) (string, error) {
+	if t.verifyOnly {
+		return "", ErrVerifyOnly
 	}
+
+	// Future work: let a jwt token include permission information would be useful for
+	// permission checking in proxy side.
+	tk := jwt.NewWithClaims(t.signMethod,
+		jwt.MapClaims{
+			"exp": time.Now().Add(t.ttl).Unix(),
+		})
+
+	token, err := tk.SignedString(t.key)
+	if err != nil {
+		t.lg.Debug(
+			"failed to sign a JWT token",
+			zap.Error(err),
+		)
+		return "", err
+	}
+
+	t.lg.Debug(
+		"created/assigned a new JWT token",
+		zap.String("token", token),
+	)
+	return token, err
 }
 
 func TestJWTBad(t *testing.T) {