diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index 13649adad2..61a44274c2 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -189,10 +189,10 @@ def _decode(self, token, secret=None):
         else:
             try:
                 header = jwt.get_unverified_header(token)
+                key = self._get_key(header.get("kid"))  # Can raise PyJWKClientError
             except Exception as e:
                 _logger.info("Invalid token: %s", e)
                 raise UnauthorizedInvalidToken() from e
-            key = self._get_key(header.get("kid"))
             algorithm = self.public_key_algorithm
         try:
             payload = jwt.decode(