diff --git a/doc/releases/migration-guide-4.4.rst b/doc/releases/migration-guide-4.4.rst
index 2aa9e768f18ad..6bced11e956dc 100644
--- a/doc/releases/migration-guide-4.4.rst
+++ b/doc/releases/migration-guide-4.4.rst
@@ -105,6 +105,13 @@ Networking
 Other subsystems
 ****************
 
+JWT
+===
+
+* Previously deprecated ``CONFIG_JWT_SIGN_RSA_LEGACY`` is removed. This removal happens before
+  the usual deprecation period of 2 releases because it has been agreed (see :github:`97660`)
+  that Mbed TLS is an external module, so normal deprecation rules do not apply in this case.
+
 Modules
 *******
 
diff --git a/subsys/jwt/CMakeLists.txt b/subsys/jwt/CMakeLists.txt
index 046086212debd..f7bd4bb66f994 100644
--- a/subsys/jwt/CMakeLists.txt
+++ b/subsys/jwt/CMakeLists.txt
@@ -2,11 +2,6 @@
 
 zephyr_library()
 zephyr_library_sources(jwt.c)
-
-zephyr_library_sources_ifdef(CONFIG_JWT_SIGN_RSA_LEGACY jwt_legacy_rsa.c)
-
-if(CONFIG_JWT_SIGN_RSA_PSA OR CONFIG_JWT_SIGN_ECDSA_PSA)
-  zephyr_library_sources(jwt_psa.c)
-endif()
+zephyr_library_sources(jwt_psa.c)
 
 zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS)
diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig
index c6144b2f7ac63..4753318853f71 100644
--- a/subsys/jwt/Kconfig
+++ b/subsys/jwt/Kconfig
@@ -16,17 +16,6 @@ choice
 	help
 	  Select which algorithm to use for signing JWT tokens.
 
-config JWT_SIGN_RSA_LEGACY
-	bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library [DEPRECATED]"
-	depends on ENTROPY_NODE_ENABLED
-	select DEPRECATED
-	select MBEDTLS
-	select MBEDTLS_MD_C
-	select MBEDTLS_RSA_C
-	select MBEDTLS_PKCS1_V15
-	select MBEDTLS_PKCS1_V21
-	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-
 config JWT_SIGN_RSA_PSA
 	bool "Use RSA signature (RS-256). Use PSA Crypto API."
 	select PSA_CRYPTO
diff --git a/subsys/jwt/jwt.c b/subsys/jwt/jwt.c
index 09d6e25feebd4..ec9a027fe10e4 100644
--- a/subsys/jwt/jwt.c
+++ b/subsys/jwt/jwt.c
@@ -14,7 +14,7 @@
 
 #include "jwt.h"
 
-#if defined(CONFIG_JWT_SIGN_RSA_PSA) || defined(CONFIG_JWT_SIGN_RSA_LEGACY)
+#if defined(CONFIG_JWT_SIGN_RSA_PSA)
 #define JWT_SIGNATURE_LEN 256
 #else /* CONFIG_JWT_SIGN_ECDSA_PSA */
 #define JWT_SIGNATURE_LEN 64
@@ -143,7 +143,7 @@ static int jwt_add_header(struct jwt_builder *builder)
 	 * Use https://www.base64encode.org/ for update
 	 */
 	const char jwt_header[] =
-#if defined(CONFIG_JWT_SIGN_RSA_PSA) || defined(CONFIG_JWT_SIGN_RSA_LEGACY)
+#if defined(CONFIG_JWT_SIGN_RSA_PSA)
 		/* {"alg":"RS256","typ":"JWT"} */
 		"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9";
 #else /* CONFIG_JWT_SIGN_ECDSA_PSA */
diff --git a/subsys/jwt/jwt_legacy_rsa.c b/subsys/jwt/jwt_legacy_rsa.c
deleted file mode 100644
index 2eb0adc0ede9f..0000000000000
--- a/subsys/jwt/jwt_legacy_rsa.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2024 BayLibre SAS
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-
-#include <string.h>
-#include <zephyr/types.h>
-#include <errno.h>
-
-#include <zephyr/data/jwt.h>
-#include <zephyr/data/json.h>
-
-#include <mbedtls/pk.h>
-#include <mbedtls/rsa.h>
-#include <mbedtls/sha256.h>
-#include <zephyr/random/random.h>
-
-#include "jwt.h"
-
-static int csprng_wrapper(void *ctx, unsigned char *dest, size_t size)
-{
-	ARG_UNUSED(ctx);
-
-	return sys_csrand_get((void *)dest, size);
-}
-
-int jwt_sign_impl(struct jwt_builder *builder, const unsigned char *der_key, size_t der_key_len,
-		  unsigned char *sig, size_t sig_size)
-{
-	int res;
-	mbedtls_pk_context ctx;
-	size_t sig_len_out;
-
-	mbedtls_pk_init(&ctx);
-
-	res = mbedtls_pk_parse_key(&ctx, der_key, der_key_len, NULL, 0, csprng_wrapper, NULL);
-	if (res != 0) {
-		return res;
-	}
-
-	uint8_t hash[32];
-
-	/*
-	 * The '0' indicates to mbedtls to do a SHA256, instead of
-	 * 224.
-	 */
-	res = mbedtls_sha256(builder->base, builder->buf - builder->base, hash, 0);
-	if (res != 0) {
-		return res;
-	}
-
-	res = mbedtls_pk_sign(&ctx, MBEDTLS_MD_SHA256, hash, sizeof(hash), sig, sig_size,
-			      &sig_len_out, csprng_wrapper, NULL);
-	return res;
-}
diff --git a/tests/subsys/jwt/src/jwt-test-private.c b/tests/subsys/jwt/src/jwt-test-private.c
index 600eaf62d5b13..d805449d0ae06 100644
--- a/tests/subsys/jwt/src/jwt-test-private.c
+++ b/tests/subsys/jwt/src/jwt-test-private.c
@@ -4,7 +4,7 @@
  *
  */
 
-#if defined(CONFIG_JWT_SIGN_RSA_PSA) || defined(CONFIG_JWT_SIGN_RSA_LEGACY)
+#if defined(CONFIG_JWT_SIGN_RSA_PSA)
 
 /* To generate the key in the correct format use the following command:
  * $ openssl genrsa 2048 | openssl rsa -outform DER | xxd -i
diff --git a/tests/subsys/jwt/testcase.yaml b/tests/subsys/jwt/testcase.yaml
index 9a7a547f56ba3..18f2231b5faed 100644
--- a/tests/subsys/jwt/testcase.yaml
+++ b/tests/subsys/jwt/testcase.yaml
@@ -19,10 +19,6 @@ tests:
       # source.
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
-  libraries.encoding.jwt.rsa.legacy:
-    filter: CSPRNG_ENABLED
-    extra_configs:
-      - CONFIG_JWT_SIGN_RSA_LEGACY=y
   libraries.encoding.jwt.rsa.psa:
     extra_configs:
       - CONFIG_JWT_SIGN_RSA_PSA=y