diff --git a/pkg/crypto/aes.go b/pkg/crypto/aes.go
index cfe27f4..aa4b152 100644
--- a/pkg/crypto/aes.go
+++ b/pkg/crypto/aes.go
@@ -9,10 +9,11 @@ import (
 )
 
 var ErrShortCipherText = errors.New("ciphertext too short")
+var ErrNoEncryptionKey = errors.New("encryption key is required")
 
 func EncryptWithAESKey(data, key []byte) ([]byte, error) {
 	if key == nil {
-		return data, nil
+		return data, ErrNoEncryptionKey
 	}
 
 	block, err := aes.NewCipher(key)
@@ -35,7 +36,7 @@ func EncryptWithAESKey(data, key []byte) ([]byte, error) {
 
 func DecryptStringWithAESKey(data, key []byte) ([]byte, error) {
 	if key == nil {
-		return data, nil
+		return data, ErrNoEncryptionKey
 	}
 
 	block, err := aes.NewCipher(key)
diff --git a/pkg/crypto/aes_test.go b/pkg/crypto/aes_test.go
index b532fc1..3462a10 100644
--- a/pkg/crypto/aes_test.go
+++ b/pkg/crypto/aes_test.go
@@ -3,6 +3,7 @@ package crypto
 import (
 	"bytes"
 	"crypto/rand"
+	"fmt"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -28,10 +29,10 @@ func TestAESEncryption(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name:    "nil key returns original data",
+			name:    "nil key returns error",
 			data:    []byte("hello world"),
 			key:     nil,
-			wantErr: false,
+			wantErr: true,
 		},
 		{
 			name:    "empty data",
@@ -59,6 +60,8 @@ func TestAESEncryption(t *testing.T) {
 			}
 			require.NoError(t, err)
 
+			fmt.Println(string(encrypted))
+
 			decrypted, err := DecryptStringWithAESKey(encrypted, tt.key)
 			require.NoError(t, err)
 
@@ -98,6 +101,12 @@ func TestDecryptionErrors(t *testing.T) {
 			key:    key,
 			errMsg: "message authentication failed",
 		},
+		{
+			name:   "missing key",
+			data:   []byte("�`M���l\u001AIF�\u0012���=h�?�c� ��\u0012����\u001C�\u0018Ƽ(g"),
+			key:    nil,
+			errMsg: "encryption key is required",
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/token/delegation/delegation_test.go b/token/delegation/delegation_test.go
index 113ea52..53d7a8f 100644
--- a/token/delegation/delegation_test.go
+++ b/token/delegation/delegation_test.go
@@ -210,16 +210,15 @@ func TestEncryptedMeta(t *testing.T) {
 			"secret2": "value2",
 			"secret3": "value3",
 		}
+		var opts []delegation.Option
+		for k, v := range values {
+			opts = append(opts, delegation.WithEncryptedMeta(k, v, encryptionKey))
+		}
 
 		// Create token with multiple encrypted values
-		tkn, err := delegation.New(privKey, aud, cmd, pol, delegation.WithMeta("foo", "bar"))
+		tkn, err := delegation.New(privKey, aud, cmd, pol, opts...)
 		require.NoError(t, err)
 
-		for k, v := range values {
-			err := tkn.Meta().AddEncrypted(k, v, encryptionKey)
-			require.NoError(t, err)
-		}
-
 		data, err := tkn.ToDagCbor(privKey)
 		require.NoError(t, err)