diff --git a/oauth3.crypto.js b/oauth3.crypto.js
index a6559ab..67c27ff 100644
--- a/oauth3.crypto.js
+++ b/oauth3.crypto.js
@@ -188,7 +188,9 @@
       return OAUTH3.PromiseA.reject(new Error('JWK of type '+jwk.kty+' missing fields ' + missing));
     }
 
-    var jwkStr = '{' + keys.map(function (name) { return name+':'+jwk[name]; }).join(',') + '}';
+    // I'm not actually 100% sure this behavior is guaranteed, but when we use an array as the
+    // replacer argument the keys are always in the order they appeared in the array.
+    var jwkStr = JSON.stringify(jwk, keys);
     return OAUTH3.crypto.core.sha256(OAUTH3._binStr.binStrToBuffer(jwkStr))
       .then(OAUTH3._base64.bufferToUrlSafe);
   };