diff --git a/.changelog/24966.txt b/.changelog/24966.txt
new file mode 100644
index 000000000..7cc48fd80
--- /dev/null
+++ b/.changelog/24966.txt
@@ -0,0 +1,3 @@
+```release-note:security
+api: sanitize the SignedIdentities in allocations of events to clean the identity token.
+```
diff --git a/nomad/state/events.go b/nomad/state/events.go
index c2c30e10c..29abd6d9f 100644
--- a/nomad/state/events.go
+++ b/nomad/state/events.go
@@ -341,7 +341,7 @@ func eventFromChange(change memdb.Change) (structs.Event, bool) {
 			FilterKeys: filterKeys,
 			Namespace:  after.Namespace,
 			Payload: &structs.AllocationEvent{
-				Allocation: alloc,
+				Allocation: alloc.Sanitize(),
 			},
 		}, true
 	case "jobs":