diff --git a/refstack/api/utils.py b/refstack/api/utils.py
index ddb385c0..44699e19 100644
--- a/refstack/api/utils.py
+++ b/refstack/api/utils.py
@@ -385,7 +385,8 @@ def decode_token(request):
         raise api_exc.ValidationError(
             "Authorization schema 'Bearer' should be used")
     try:
-        token_data = jwt.decode(token, algorithms='RS256', verify=False)
+        token_data = jwt.decode(token, algorithms=['RS256'],
+                                options={"verify_signature": False})
     except jwt.InvalidTokenError:
         raise api_exc.ValidationError("Token is not valid")
 
@@ -408,10 +409,10 @@ def decode_token(request):
         else:
             try:
                 token_data = jwt.decode(
-                    token, key=pem_pubkey,
+                    token, algorithms=['RS256'], key=pem_pubkey,
                     options={'verify_signature': True,
                              'verify_exp': True,
-                             'require_exp': True},
+                             'require': ['exp']},
                     leeway=const.JWT_VALIDATION_LEEWAY)
                 # NOTE(sslipushenko) If at least one key is valid, let
                 # the validation pass
diff --git a/refstack/tests/unit/test_api_utils.py b/refstack/tests/unit/test_api_utils.py
index 6a7a0ef3..25c54f61 100644
--- a/refstack/tests/unit/test_api_utils.py
+++ b/refstack/tests/unit/test_api_utils.py
@@ -22,7 +22,6 @@ from oslo_utils import timeutils
 from oslotest import base
 from pecan import rest
 import jwt
-import six
 from six.moves.urllib import parse
 from webob import exc
 
@@ -547,14 +546,14 @@ class APIUtilsTestCase(base.BaseTestCase):
 
         fake_token = jwt.encode({'foo': 'bar'}, key=PRIV_KEY,
                                 algorithm='RS256')
-        auth_str = 'Bearer %s' % six.text_type(fake_token, 'utf-8')
+        auth_str = 'Bearer %s' % fake_token
         mock_request.headers = {const.JWT_TOKEN_HEADER: auth_str}
         self.assertRaises(api_exc.ValidationError, api_utils.decode_token,
                           mock_request)
 
         fake_token = jwt.encode({const.USER_OPENID: 'oid'}, key=PRIV_KEY,
                                 algorithm='RS256')
-        auth_str = 'Bearer %s' % six.text_type(fake_token, 'utf-8')
+        auth_str = 'Bearer %s' % fake_token
         mock_request.headers = {const.JWT_TOKEN_HEADER: auth_str}
         mock_pubkey.return_value = [{'format': 'ssh-rsa',
                                      'pubkey': 'fakepubkey'}]
@@ -570,7 +569,7 @@ class APIUtilsTestCase(base.BaseTestCase):
                                  'exp': int(time.time()) + 3600},
                                 key=PRIV_KEY,
                                 algorithm='RS256')
-        auth_str = 'Bearer %s' % six.text_type(fake_token, 'utf-8')
+        auth_str = 'Bearer %s' % fake_token
         mock_request.headers = {const.JWT_TOKEN_HEADER: auth_str}
         mock_pubkey.return_value = [{'format': 'ssh-rsa',
                                      'pubkey': PUB_KEY}]
diff --git a/requirements.txt b/requirements.txt
index c9de66e4..757564b6 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,7 +2,7 @@ SQLAlchemy>=0.8.3
 alembic
 beaker
 beautifulsoup4
-cryptography>=1.0,!=1.3.0 # BSD/Apache-2.0
+cryptography>=3.0 # BSD/Apache-2.0
 docutils>=0.11
 oslo.config>=1.6.0 # Apache-2.0
 oslo.db>=1.4.1 # Apache-2.0
@@ -13,6 +13,6 @@ pecan>=0.8.2
 requests>=2.2.0,!=2.4.0
 requests-cache>=0.4.9
 jsonschema>=3.2.0
-PyJWT>=1.0.1  # MIT
+PyJWT>=2.0.0  # MIT
 WebOb>=1.7.1  # MIT
 PyMySQL>=0.6.2,!=0.6.4