diff --git a/packages/core/package.json b/packages/core/package.json
index 42dd4d7dac..0245c8f345 100644
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -67,7 +67,6 @@
   },
   "license": "ISC",
   "dependencies": {
-    "@panva/hkdf": "^1.2.1",
     "jose": "^6.0.6",
     "oauth4webapi": "^3.3.0",
     "preact": "10.24.3",
diff --git a/packages/core/src/jwt.ts b/packages/core/src/jwt.ts
index fe93e12668..df52f12e45 100644
--- a/packages/core/src/jwt.ts
+++ b/packages/core/src/jwt.ts
@@ -36,7 +36,6 @@
  * @module jwt
  */
 
-import { hkdf } from "@panva/hkdf"
 import { EncryptJWT, base64url, calculateJwkThumbprint, jwtDecrypt } from "jose"
 import { defaultCookies, SessionStore } from "./lib/utils/cookie.js"
 import { Awaitable } from "./types.js"
@@ -191,8 +190,8 @@ export async function getToken(
 
 async function getDerivedEncryptionKey(
   enc: string,
-  keyMaterial: Parameters<typeof hkdf>[1],
-  salt: Parameters<typeof hkdf>[2]
+  keyMaterial: string | Uint8Array,
+  salt: string | Uint8Array
 ) {
   let length: number
   switch (enc) {
@@ -205,13 +204,28 @@ async function getDerivedEncryptionKey(
     default:
       throw new Error("Unsupported JWT Content Encryption Algorithm")
   }
-  return await hkdf(
-    "sha256",
-    keyMaterial,
-    salt,
-    `Auth.js Generated Encryption Key (${salt})`,
-    length
+
+  // from: https://github.com/panva/hkdf
+  const derivedKey = new Uint8Array(
+    await globalThis.crypto.subtle.deriveBits(
+      {
+        name: "HKDF",
+        hash: "SHA-256",
+        salt: Buffer.from(salt),
+        info: Buffer.from(`Auth.js Generated Encryption Key (${salt})`),
+      },
+      await globalThis.crypto.subtle.importKey(
+        "raw",
+        Buffer.from(keyMaterial),
+        "HKDF",
+        false,
+        ["deriveBits"]
+      ),
+      length << 3
+    )
   )
+
+  return derivedKey
 }
 
 export interface DefaultJWT extends Record<string, unknown> {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index f6fe6e4264..8c735738f9 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -676,9 +676,6 @@ importers:
 
   packages/core:
     dependencies:
-      '@panva/hkdf':
-        specifier: ^1.2.1
-        version: 1.2.1
       jose:
         specifier: ^6.0.6
         version: 6.0.6
@@ -4068,9 +4065,6 @@ packages:
   '@pandacss/types@0.22.1':
     resolution: {integrity: sha512-WZCQrTa5wlenBStlu0gntKGi4dWA96LCft1oEqdh2u6VPK0sEfqk0wjyJGps/YN3pNjNKiQW3b4p1Wx+RshlYA==}
 
-  '@panva/hkdf@1.2.1':
-    resolution: {integrity: sha512-6oclG6Y3PiDFcoyk8srjLfVKyMfVCKJ27JwNPViuXziFpmdz+MZnZN/aKY0JGXgYuO/VghU0jcOAZgWXZ1Dmrw==}
-
   '@parcel/watcher-android-arm64@2.4.1':
     resolution: {integrity: sha512-LOi/WTbbh3aTn2RYddrO8pnapixAziFl6SMxHM69r3tvdSm94JtCenaKgk1GRg5FJ5wpMCpHeW+7yqPlvZv7kg==}
     engines: {node: '>= 10.0.0'}
@@ -18057,8 +18051,6 @@ snapshots:
 
   '@pandacss/types@0.22.1': {}
 
-  '@panva/hkdf@1.2.1': {}
-
   '@parcel/watcher-android-arm64@2.4.1':
     optional: true