diff --git a/pkg/serviceaccount/claims.go b/pkg/serviceaccount/claims.go
index eb993789681..80ebd7a5192 100644
--- a/pkg/serviceaccount/claims.go
+++ b/pkg/serviceaccount/claims.go
@@ -192,9 +192,9 @@ func (v *validator) Validate(ctx context.Context, _ string, public *jwt.Claims,
 			secondsAfterWarn := nowTime.Unix() - warnafter.Time().Unix()
 			auditInfo := fmt.Sprintf("subject: %s, seconds after warning threshold: %d", public.Subject, secondsAfterWarn)
 			audit.AddAuditAnnotation(ctx, "authentication.k8s.io/stale-token", auditInfo)
-			staleTokensTotal.Inc()
+			staleTokensTotal.WithContext(ctx).Inc()
 		} else {
-			validTokensTotal.Inc()
+			validTokensTotal.WithContext(ctx).Inc()
 		}
 	}
 
diff --git a/pkg/serviceaccount/jwt.go b/pkg/serviceaccount/jwt.go
index a90e9076c13..c779957bdbe 100644
--- a/pkg/serviceaccount/jwt.go
+++ b/pkg/serviceaccount/jwt.go
@@ -290,7 +290,7 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(ctx context.Context, tokenData
 	if len(tokenAudiences) == 0 {
 		// only apiserver audiences are allowed for legacy tokens
 		audit.AddAuditAnnotation(ctx, "authentication.k8s.io/legacy-token", public.Subject)
-		legacyTokensTotal.Inc()
+		legacyTokensTotal.WithContext(ctx).Inc()
 		tokenAudiences = j.implicitAuds
 	}