diff --git a/packages/pds/package.json b/packages/pds/package.json
index ca32da35009..571dee3f41b 100644
--- a/packages/pds/package.json
+++ b/packages/pds/package.json
@@ -84,12 +84,12 @@
     "@types/disposable-email": "^0.2.0",
     "@types/express": "^4.17.13",
     "@types/express-serve-static-core": "^4.17.36",
-    "@types/jsonwebtoken": "^8.5.9",
     "@types/nodemailer": "^6.4.6",
     "@types/pg": "^8.6.6",
     "@types/qs": "^6.9.7",
     "@types/sharp": "^0.31.0",
     "axios": "^0.27.2",
+    "get-port": "^6.1.2",
     "ws": "^8.12.0"
   }
 }
diff --git a/packages/pds/tests/app-passwords.test.ts b/packages/pds/tests/app-passwords.test.ts
index 0feb0a53712..d228896a6ca 100644
--- a/packages/pds/tests/app-passwords.test.ts
+++ b/packages/pds/tests/app-passwords.test.ts
@@ -1,6 +1,6 @@
 import { TestNetworkNoAppView } from '@atproto/dev-env'
 import AtpAgent from '@atproto/api'
-import * as jwt from 'jsonwebtoken'
+import * as jose from 'jose'
 
 describe('app_passwords', () => {
   let network: TestNetworkNoAppView
@@ -44,9 +44,7 @@ describe('app_passwords', () => {
   })
 
   it('creates an access token for an app with a restricted scope', () => {
-    const decoded = jwt.decode(appAgent.session?.accessJwt ?? '', {
-      json: true,
-    })
+    const decoded = jose.decodeJwt(appAgent.session?.accessJwt ?? '')
     expect(decoded?.scope).toEqual('com.atproto.appPass')
   })
 
diff --git a/packages/pds/tests/auth.test.ts b/packages/pds/tests/auth.test.ts
index ba94ad6ed66..f18f2ab8d7b 100644
--- a/packages/pds/tests/auth.test.ts
+++ b/packages/pds/tests/auth.test.ts
@@ -1,4 +1,4 @@
-import * as jwt from 'jsonwebtoken'
+import * as jose from 'jose'
 import AtpAgent from '@atproto/api'
 import { TestNetworkNoAppView, SeedClient } from '@atproto/dev-env'
 import * as CreateSession from '@atproto/api/src/client/types/com/atproto/server/createSession'
@@ -157,9 +157,9 @@ describe('auth', () => {
     const refresh1 = await refreshSession(account.refreshJwt)
     const refresh2 = await refreshSession(account.refreshJwt)
 
-    const token0 = jwt.decode(account.refreshJwt, { json: true })
-    const token1 = jwt.decode(refresh1.refreshJwt, { json: true })
-    const token2 = jwt.decode(refresh2.refreshJwt, { json: true })
+    const token0 = jose.decodeJwt(account.refreshJwt)
+    const token1 = jose.decodeJwt(refresh1.refreshJwt)
+    const token2 = jose.decodeJwt(refresh2.refreshJwt)
 
     expect(typeof token1?.jti).toEqual('string')
     expect(token1?.jti).toEqual(token2?.jti)
@@ -175,7 +175,7 @@ describe('auth', () => {
       password: 'password',
     })
     await refreshSession(account.refreshJwt)
-    const token = jwt.decode(account.refreshJwt, { json: true })
+    const token = jose.decodeJwt(account.refreshJwt)
 
     // Update expiration (i.e. grace period) to end immediately
     const refreshUpdated = await db.db
diff --git a/packages/pds/tests/entryway.test.ts b/packages/pds/tests/entryway.test.ts
index f861fe38f92..277a258b7c6 100644
--- a/packages/pds/tests/entryway.test.ts
+++ b/packages/pds/tests/entryway.test.ts
@@ -6,6 +6,7 @@ import { Secp256k1Keypair, randomStr } from '@atproto/crypto'
 import { SeedClient, TestPds, TestPlc, mockResolvers } from '@atproto/dev-env'
 import * as pdsEntryway from '@atproto/pds-entryway'
 import * as ui8 from 'uint8arrays'
+import getPort from 'get-port'
 
 describe('entryway', () => {
   let plc: TestPlc
@@ -17,10 +18,10 @@ describe('entryway', () => {
   beforeAll(async () => {
     const jwtSigningKey = await Secp256k1Keypair.create({ exportable: true })
     const plcRotationKey = await Secp256k1Keypair.create({ exportable: true })
+    const entrywayPort = await getPort()
     plc = await TestPlc.create({})
     pds = await TestPds.create({
-      port: plc.port + 1,
-      entrywayUrl: `http://localhost:${plc.port + 2}`,
+      entrywayUrl: `http://localhost:${entrywayPort}`,
       entrywayJwtVerifyKeyK256PublicKeyHex: getPublicHex(jwtSigningKey),
       entrywayPlcRotationKeyK256PublicKeyHex: getPublicHex(plcRotationKey),
       adminPassword: 'admin-pass',
@@ -31,7 +32,7 @@ describe('entryway', () => {
     })
     entryway = await createEntryway({
       dbPostgresSchema: 'entryway',
-      port: plc.port + 2,
+      port: entrywayPort,
       adminPassword: 'admin-pass',
       jwtSigningKeyK256PrivateKeyHex: await getPrivateHex(jwtSigningKey),
       plcRotationKeyK256PrivateKeyHex: await getPrivateHex(plcRotationKey),
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index dd6551410d6..40a6dd8c291 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -620,9 +620,6 @@ importers:
       '@types/express-serve-static-core':
         specifier: ^4.17.36
         version: 4.17.36
-      '@types/jsonwebtoken':
-        specifier: ^8.5.9
-        version: 8.5.9
       '@types/nodemailer':
         specifier: ^6.4.6
         version: 6.4.6
@@ -638,6 +635,9 @@ importers:
       axios:
         specifier: ^0.27.2
         version: 0.27.2
+      get-port:
+        specifier: ^6.1.2
+        version: 6.1.2
       ws:
         specifier: ^8.12.0
         version: 8.12.0
@@ -5441,12 +5441,6 @@ packages:
     resolution: {integrity: sha512-Hr5Jfhc9eYOQNPYO5WLDq/n4jqijdHNlDXjuAQkkt+mWdQR+XJToOHrsD4cPaMXpn6KO7y2+wM8AZEs8VpBLVA==}
     dev: true
 
-  /@types/jsonwebtoken@8.5.9:
-    resolution: {integrity: sha512-272FMnFGzAVMGtu9tkr29hRL6bZj4Zs1KZNeHLnKqAvp06tAIcarTMwOh8/8bz4FmKRcMxZhZNeUAQsNLoiPhg==}
-    dependencies:
-      '@types/node': 18.17.8
-    dev: true
-
   /@types/mime@1.3.2:
     resolution: {integrity: sha512-YATxVxgRqNH6nHEIsvg6k2Boc1JHI9ZbH5iWFFv/MTkchz3b1ieGDa5T0a9RznNdI0KhVbdbWSN+KWWrQZRxTw==}
     dev: true