diff --git a/authorize/evaluator/headers_evaluator_test.go b/authorize/evaluator/headers_evaluator_test.go
index f64bdbf9b..121bd6f4d 100644
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
 )
 
 func TestHeadersEvaluator(t *testing.T) {
@@ -41,10 +42,16 @@ func TestHeadersEvaluator(t *testing.T) {
 
 	t.Run("jwt", func(t *testing.T) {
 		output, err := eval(t,
-			[]proto.Message{},
+			[]proto.Message{
+				&session.Session{Id: "s1", ImpersonateSessionId: proto.String("s2")},
+				&session.Session{Id: "s2"},
+			},
 			&HeadersRequest{
 				FromAudience: "from.example.com",
 				ToAudience:   "to.example.com",
+				Session: RequestSession{
+					ID: "s1",
+				},
 			})
 		require.NoError(t, err)
 
@@ -56,8 +63,8 @@ func TestHeadersEvaluator(t *testing.T) {
 		require.NoError(t, err)
 
 		assert.Equal(t, claims["exp"], math.Round(claims["exp"].(float64)))
-
 		assert.LessOrEqual(t, claims["exp"], float64(time.Now().Add(time.Minute*6).Unix()),
 			"JWT should expire within 5 minutes, but got: %v", claims["exp"])
+		assert.Equal(t, "s1", claims["sid"], "should set session id to input session id")
 	})
 }
diff --git a/authorize/evaluator/opa/policy/headers.rego b/authorize/evaluator/opa/policy/headers.rego
index d567c91d2..fa34b98d0 100644
--- a/authorize/evaluator/opa/policy/headers.rego
+++ b/authorize/evaluator/opa/policy/headers.rego
@@ -139,6 +139,9 @@ jwt_payload_groups = v {
 	true
 }
 
+# the session id is always set to the input session id, even if impersonating
+jwt_payload_sid := input.session.id
+
 base_jwt_claims := [
 	["iss", jwt_payload_iss],
 	["aud", jwt_payload_aud],
@@ -149,6 +152,7 @@ base_jwt_claims := [
 	["user", jwt_payload_user],
 	["email", jwt_payload_email],
 	["groups", jwt_payload_groups],
+	["sid", jwt_payload_sid]
 ]
 
 additional_jwt_claims := [[k, v] |