diff --git a/dist/index.js b/dist/index.js
index 4b92ff2..f591e0e 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -999,16 +999,17 @@ async function retrieveToken(method, client) {
             return await getClientToken(client, method, path, { token: githubToken });
         }
         case 'jwt': {
-            const role = core.getInput('role', { required: true });
-            const privateKeyRaw = core.getInput('jwtPrivateKey', { required: false });
-            const privateKey = Buffer.from(privateKeyRaw, 'base64').toString();
-            const keyPassword = core.getInput('jwtKeyPassword', { required: false });
-            const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour
             /** @type {string} */
             let jwt;
             const actionsIDTokenRequestToken = process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'];
             const actionsIDTokenRequestURL = process.env['ACTIONS_ID_TOKEN_REQUEST_URL'];
 
+            const role = core.getInput('role', { required: true });
+            const privateKeyRaw = core.getInput('jwtPrivateKey', { required: (!(actionsIDTokenRequestToken && actionsIDTokenRequestURL)) });
+            const privateKey = Buffer.from(privateKeyRaw, 'base64').toString();
+            const keyPassword = core.getInput('jwtKeyPassword', { required: false });
+            const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour
+
             if (!privateKeyRaw && actionsIDTokenRequestToken && actionsIDTokenRequestURL) {
                 jwt = await getJwt(actionsIDTokenRequestToken, `${actionsIDTokenRequestURL}&audience=sigstore`);
             } else {
diff --git a/src/auth.js b/src/auth.js
index e893a2c..5984060 100644
--- a/src/auth.js
+++ b/src/auth.js
@@ -24,16 +24,17 @@ async function retrieveToken(method, client) {
             return await getClientToken(client, method, path, { token: githubToken });
         }
         case 'jwt': {
-            const role = core.getInput('role', { required: true });
-            const privateKeyRaw = core.getInput('jwtPrivateKey', { required: false });
-            const privateKey = Buffer.from(privateKeyRaw, 'base64').toString();
-            const keyPassword = core.getInput('jwtKeyPassword', { required: false });
-            const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour
             /** @type {string} */
             let jwt;
             const actionsIDTokenRequestToken = process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'];
             const actionsIDTokenRequestURL = process.env['ACTIONS_ID_TOKEN_REQUEST_URL'];
 
+            const role = core.getInput('role', { required: true });
+            const privateKeyRaw = core.getInput('jwtPrivateKey', { required: (!(actionsIDTokenRequestToken && actionsIDTokenRequestURL)) });
+            const privateKey = Buffer.from(privateKeyRaw, 'base64').toString();
+            const keyPassword = core.getInput('jwtKeyPassword', { required: false });
+            const tokenTtl = core.getInput('jwtTtl', { required: false }) || '3600'; // 1 hour
+
             if (!privateKeyRaw && actionsIDTokenRequestToken && actionsIDTokenRequestURL) {
                 jwt = await getJwt(actionsIDTokenRequestToken, `${actionsIDTokenRequestURL}&audience=sigstore`);
             } else {