diff --git a/cmd/cmd_create_client.go b/cmd/cmd_create_client.go
index 629ef495a2e..462c194c206 100644
--- a/cmd/cmd_create_client.go
+++ b/cmd/cmd_create_client.go
@@ -17,6 +17,7 @@ import (
 )
 
 const (
+	flagClientAccessTokenStrategy               = "access-token-strategy"
 	flagClientAllowedCORSOrigin                 = "allowed-cors-origin"
 	flagClientAudience                          = "audience"
 	flagClientBackchannelLogoutCallback         = "backchannel-logout-callback"
diff --git a/cmd/cmd_helper_client.go b/cmd/cmd_helper_client.go
index f35af499cce..2f9cd72b048 100644
--- a/cmd/cmd_helper_client.go
+++ b/cmd/cmd_helper_client.go
@@ -18,6 +18,7 @@ import (
 
 func clientFromFlags(cmd *cobra.Command) hydra.OAuth2Client {
 	return hydra.OAuth2Client{
+		AccessTokenStrategy:               pointerx.String(flagx.MustGetString(cmd, flagClientAccessTokenStrategy)),
 		AllowedCorsOrigins:                flagx.MustGetStringSlice(cmd, flagClientAllowedCORSOrigin),
 		Audience:                          flagx.MustGetStringSlice(cmd, flagClientAudience),
 		BackchannelLogoutSessionRequired:  pointerx.Bool(flagx.MustGetBool(cmd, flagClientBackChannelLogoutSessionRequired)),
@@ -81,6 +82,7 @@ func registerClientFlags(flags *pflag.FlagSet) {
 	flags.StringSlice(flagClientPostLogoutCallback, []string{}, "List of allowed URLs to be redirected to after a logout.")
 	flags.Bool(flagClientSkipConsent, false, "Boolean flag specifying whether to skip the consent screen for this client. If omitted, the default value is false.")
 	flags.Bool(flagClientLogoutSkipConsent, false, "Boolean flag specifying whether to skip the logout consent screen for this client. If omitted, the default value is false.")
+	flags.String(flagClientAccessTokenStrategy, "opaque", "The strategy used to generate access tokens. Valid options are `opaque` and `jwt`. If omitted, the default value is `opaque`.")
 
 	// back-channel logout options
 	flags.Bool(flagClientBackChannelLogoutSessionRequired, false, "Boolean flag specifying whether the client requires that a sid (session ID) Claim be included in the Logout Token to identify the client session with the OP when the backchannel-logout-callback is used. If omitted, the default value is false.")