diff --git a/lib/travis/model/job.rb b/lib/travis/model/job.rb
index 1d86e278e..321bdbe1b 100644
--- a/lib/travis/model/job.rb
+++ b/lib/travis/model/job.rb
@@ -23,6 +23,11 @@ class Job < Travis::Model
     mariadb
     postgresql
     ssh_known_hosts
+    jwt
+  ).freeze
+
+  ALWAYS_DECRYPT_ADDONS = %w(
+    jwt
   ).freeze
 
   class << self
@@ -138,6 +143,11 @@ def decrypted_config
           config[:addons] = decrypt_addons(config[:addons])
         else
           delete_addons(config)
+          if config[:addons]
+            config[:addons] = config[:addons].merge(
+              decrypt_addons(config[:addons]).keep_if { |key, _| ALWAYS_DECRYPT_ADDONS.include? key.to_s }
+            )
+          end
         end
       end
     end
diff --git a/spec/travis/model/job_spec.rb b/spec/travis/model/job_spec.rb
index 8a3b18d5d..f889fc86e 100644
--- a/spec/travis/model/job_spec.rb
+++ b/spec/travis/model/job_spec.rb
@@ -355,6 +355,33 @@
           }
         }
       end
+
+      it 'decrypts whitelisted addons', :only => true do
+        secret_str = job.repository.key.secure.encrypt('ABC=foobar')
+        config = { rvm: '1.8.7',
+                   addons: {
+                     jwt: {
+                       secret: secret_str
+                     },
+                     apt_packages: {
+                       secret: secret_str
+                     }
+                   }
+                 }
+        job.config = config
+
+        job.decrypted_config.should == {
+          rvm: '1.8.7',
+          addons: {
+            jwt: {
+              secret: 'ABC=foobar'
+            },
+            apt_packages: {
+              secret: { :secure => secret_str["secure"] }
+            }
+          }
+        }
+      end
     end
 
     context 'when job has secure env enabled' do