diff --git a/lib/jwe/encrypt.js b/lib/jwe/encrypt.js
index 20560ea7..639751e6 100644
--- a/lib/jwe/encrypt.js
+++ b/lib/jwe/encrypt.js
@@ -89,6 +89,10 @@ class Encrypt {
     const enc = jweHeader.enc
     let alg = jweHeader.alg
 
+    if (key.use === 'sig') {
+      throw new TypeError('a key with "use":"sig" is not usable for encryption')
+    }
+
     if (alg === 'dir') {
       check(key, 'encrypt', enc)
     } else if (alg) {
diff --git a/lib/jws/sign.js b/lib/jws/sign.js
index 9f363336..c0b047f6 100644
--- a/lib/jws/sign.js
+++ b/lib/jws/sign.js
@@ -69,6 +69,10 @@ class Sign {
   [PROCESS_RECIPIENT] (recipient) {
     const { key, protectedHeader, unprotectedHeader } = recipient
 
+    if (key.use === 'enc') {
+      throw new TypeError('a key with "use":"enc" is not usable for signing')
+    }
+
     const joseHeader = {
       protected: protectedHeader || {},
       unprotected: unprotectedHeader || {}
diff --git a/test/jwe/sanity.test.js b/test/jwe/sanity.test.js
index 86538d2e..2fcde6b8 100644
--- a/test/jwe/sanity.test.js
+++ b/test/jwe/sanity.test.js
@@ -568,3 +568,10 @@ test('JWE general fails with decryption error', t => {
     JWE.decrypt(jwe, k3)
   }, { instanceOf: errors.JWEDecryptionFailed, code: 'ERR_JWE_DECRYPTION_FAILED' })
 })
+
+test('"sig" key is not usable for signing', t => {
+  const k = generateSync('oct', 256, { use: 'sig' })
+  t.throws(() => {
+    JWE.encrypt('foo', k)
+  }, { instanceOf: TypeError, message: 'a key with "use":"sig" is not usable for encryption' })
+})
diff --git a/test/jws/sanity.test.js b/test/jws/sanity.test.js
index 70e87a5d..eefe53d0 100644
--- a/test/jws/sanity.test.js
+++ b/test/jws/sanity.test.js
@@ -281,3 +281,10 @@ test('invalid tokens', t => {
     )
   }, { instanceOf: errors.JOSEInvalidEncoding, code: 'ERR_JOSE_INVALID_ENCODING', message: 'input is not a valid base64url encoded string' })
 })
+
+test('"enc" key is not usable for signing', t => {
+  const k = generateSync('oct', 256, { use: 'enc' })
+  t.throws(() => {
+    JWS.sign({}, k)
+  }, { instanceOf: TypeError, message: 'a key with "use":"enc" is not usable for signing' })
+})
diff --git a/test/jwt/sign.test.js b/test/jwt/sign.test.js
index 202d85a7..78d9f65d 100644
--- a/test/jwt/sign.test.js
+++ b/test/jwt/sign.test.js
@@ -187,3 +187,10 @@ test('when options arent in effect', t => {
   }
   t.deepEqual(payload, JWT.decode(JWT.sign(payload, key, { iat: false })))
 })
+
+test('"enc" key is not usable for signing', t => {
+  const k = JWK.generateSync('oct', 256, { use: 'enc' })
+  t.throws(() => {
+    JWT.sign({}, k)
+  }, { instanceOf: TypeError, message: 'a key with "use":"enc" is not usable for signing' })
+})