diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6e6cb4d16..249b0ea17 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,13 @@
 
 [1]: https://pypi.org/project/google-auth/#history
 
+## [2.18.1](https://github.com/googleapis/google-auth-library-python/compare/v2.18.0...v2.18.1) (2023-05-17)
+
+
+### Bug Fixes
+
+* Self signed jwt token should be string type ([#1294](https://github.com/googleapis/google-auth-library-python/issues/1294)) ([17356fd](https://github.com/googleapis/google-auth-library-python/commit/17356fdd92da2123f989f67a5cebf82c78a3bc12))
+
 ## [2.18.0](https://github.com/googleapis/google-auth-library-python/compare/v2.17.3...v2.18.0) (2023-05-10)
 
 
diff --git a/google/auth/version.py b/google/auth/version.py
index fa3257aba..b766f25e1 100644
--- a/google/auth/version.py
+++ b/google/auth/version.py
@@ -12,4 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-__version__ = "2.18.0"
+__version__ = "2.18.1"
diff --git a/google/oauth2/service_account.py b/google/oauth2/service_account.py
index bb2670525..a0268970c 100644
--- a/google/oauth2/service_account.py
+++ b/google/oauth2/service_account.py
@@ -418,7 +418,7 @@ def refresh(self, request):
         # subject exists, then we should not use self signed JWT.
         if self._subject is None and self._jwt_credentials is not None:
             self._jwt_credentials.refresh(request)
-            self.token = self._jwt_credentials.token
+            self.token = self._jwt_credentials.token.decode()
             self.expiry = self._jwt_credentials.expiry
         else:
             assertion = self._make_authorization_grant_assertion()
diff --git a/system_tests/secrets.tar.enc b/system_tests/secrets.tar.enc
index 8a3cf4010..3e07328e6 100644
Binary files a/system_tests/secrets.tar.enc and b/system_tests/secrets.tar.enc differ
diff --git a/system_tests/system_tests_sync/test_requests.py b/system_tests/system_tests_sync/test_requests.py
index 28004848b..1b3fba7b0 100644
--- a/system_tests/system_tests_sync/test_requests.py
+++ b/system_tests/system_tests_sync/test_requests.py
@@ -39,4 +39,4 @@ def test_authorized_session_with_service_account_and_self_signed_jwt():
 
     # Check that self-signed JWT was created and is being used
     assert credentials._jwt_credentials is not None
-    assert credentials._jwt_credentials.token == credentials.token
+    assert credentials._jwt_credentials.token.decode() == credentials.token
diff --git a/system_tests/system_tests_sync/test_urllib3.py b/system_tests/system_tests_sync/test_urllib3.py
index 1932e1913..916211ac6 100644
--- a/system_tests/system_tests_sync/test_urllib3.py
+++ b/system_tests/system_tests_sync/test_urllib3.py
@@ -41,4 +41,4 @@ def test_authorized_session_with_service_account_and_self_signed_jwt():
 
     # Check that self-signed JWT was created and is being used
     assert credentials._jwt_credentials is not None
-    assert credentials._jwt_credentials.token == credentials.token
+    assert credentials._jwt_credentials.token.decode() == credentials.token
diff --git a/tests/oauth2/test_service_account.py b/tests/oauth2/test_service_account.py
index c48635d4d..8388acd06 100644
--- a/tests/oauth2/test_service_account.py
+++ b/tests/oauth2/test_service_account.py
@@ -18,6 +18,7 @@
 
 import mock
 import pytest  # type: ignore
+import six
 
 from google.auth import _helpers
 from google.auth import crypt
@@ -470,7 +471,7 @@ def test_refresh_with_jwt_credentials(self, make_jwt):
 
         token = "token"
         expiry = _helpers.utcnow() + datetime.timedelta(seconds=500)
-        make_jwt.return_value = (token, expiry)
+        make_jwt.return_value = (b"token", expiry)
 
         # Credentials should start as invalid
         assert not credentials.valid
@@ -487,6 +488,16 @@ def test_refresh_with_jwt_credentials(self, make_jwt):
         assert credentials.token == token
         assert credentials.expiry == expiry
 
+    def test_refresh_with_jwt_credentials_token_type_check(self):
+        credentials = self.make_credentials()
+        credentials._create_self_signed_jwt("https://pubsub.googleapis.com")
+        credentials.refresh(mock.Mock())
+
+        # Credentials token should be a JWT string.
+        assert isinstance(credentials.token, six.string_types)
+        payload = jwt.decode(credentials.token, verify=False)
+        assert payload["aud"] == "https://pubsub.googleapis.com"
+
     @mock.patch("google.oauth2._client.jwt_grant", autospec=True)
     @mock.patch("google.auth.jwt.Credentials.refresh", autospec=True)
     def test_refresh_jwt_not_used_for_domain_wide_delegation(