diff --git a/contrib/pg_tde/expected/key_provider.out b/contrib/pg_tde/expected/key_provider.out
index aff2d07bea3..427004c23b6 100644
--- a/contrib/pg_tde/expected/key_provider.out
+++ b/contrib/pg_tde/expected/key_provider.out
@@ -208,6 +208,13 @@ SELECT pg_tde_add_database_key_provider('file', 'provider', '{"path": {"type": "
 ERROR:  external remote value must contain "url" in field "path"
 SELECT pg_tde_add_database_key_provider('file', 'provider', '{"path": {"type": "file"}}');
 ERROR:  external file value must contain "path" in field "path"
+-- Creating key providers fails if values are array instead of scalar
+SELECT pg_tde_add_database_key_provider('file', 'provider', '{"path": ["array"]}');
+ERROR:  unexpected array in field "path"
+SELECT pg_tde_add_database_key_provider('file', 'provider', '{"path": {"type": ["array"]}}');
+ERROR:  unexpected array in field "path"
+SELECT pg_tde_add_database_key_provider('file', 'provider', '{"path": {"type": "file", "path": ["array"]}}');
+ERROR:  unexpected array in field "path"
 -- Modifying key providers fails if any required parameter is NULL
 SELECT pg_tde_change_database_key_provider(NULL, 'file-keyring', '{}');
 ERROR:  provider type cannot be null
@@ -242,6 +249,13 @@ SELECT pg_tde_change_database_key_provider('file', 'file-provider', '{"path": {"
 ERROR:  external remote value must contain "url" in field "path"
 SELECT pg_tde_change_database_key_provider('file', 'file-provider', '{"path": {"type": "file"}}');
 ERROR:  external file value must contain "path" in field "path"
+-- Modifying key providers fails if values are array instead of scalar
+SELECT pg_tde_change_database_key_provider('file', 'file-provider', '{"path": ["array"]}');
+ERROR:  unexpected array in field "path"
+SELECT pg_tde_change_database_key_provider('file', 'file-provider', '{"path": {"type": ["array"]}}');
+ERROR:  unexpected array in field "path"
+SELECT pg_tde_change_database_key_provider('file', 'file-provider', '{"path": {"type": "file", "path": ["array"]}}');
+ERROR:  unexpected array in field "path"
 -- Deleting key providers fails if key name is NULL
 SELECT pg_tde_delete_database_key_provider(NULL);
 ERROR:  provider_name cannot be null
diff --git a/contrib/pg_tde/sql/key_provider.sql b/contrib/pg_tde/sql/key_provider.sql
index 06462e7e2cd..2957cc9923f 100644
--- a/contrib/pg_tde/sql/key_provider.sql
+++ b/contrib/pg_tde/sql/key_provider.sql
@@ -86,6 +86,11 @@ SELECT pg_tde_add_database_key_provider('file', 'provider', '{"path": {}}');
 SELECT pg_tde_add_database_key_provider('file', 'provider', '{"path": {"type": "remote"}}');
 SELECT pg_tde_add_database_key_provider('file', 'provider', '{"path": {"type": "file"}}');
 
+-- Creating key providers fails if values are array instead of scalar
+SELECT pg_tde_add_database_key_provider('file', 'provider', '{"path": ["array"]}');
+SELECT pg_tde_add_database_key_provider('file', 'provider', '{"path": {"type": ["array"]}}');
+SELECT pg_tde_add_database_key_provider('file', 'provider', '{"path": {"type": "file", "path": ["array"]}}');
+
 -- Modifying key providers fails if any required parameter is NULL
 SELECT pg_tde_change_database_key_provider(NULL, 'file-keyring', '{}');
 SELECT pg_tde_change_database_key_provider('file', NULL, '{}');
@@ -108,6 +113,12 @@ SELECT pg_tde_change_database_key_provider('file', 'file-provider', 'null');
 SELECT pg_tde_change_database_key_provider('file', 'file-provider', '{"path": {}}');
 SELECT pg_tde_change_database_key_provider('file', 'file-provider', '{"path": {"type": "remote"}}');
 SELECT pg_tde_change_database_key_provider('file', 'file-provider', '{"path": {"type": "file"}}');
+
+-- Modifying key providers fails if values are array instead of scalar
+SELECT pg_tde_change_database_key_provider('file', 'file-provider', '{"path": ["array"]}');
+SELECT pg_tde_change_database_key_provider('file', 'file-provider', '{"path": {"type": ["array"]}}');
+SELECT pg_tde_change_database_key_provider('file', 'file-provider', '{"path": {"type": "file", "path": ["array"]}}');
+
 -- Deleting key providers fails if key name is NULL
 SELECT pg_tde_delete_database_key_provider(NULL);
 SELECT pg_tde_delete_global_key_provider(NULL);
diff --git a/contrib/pg_tde/src/catalog/tde_keyring_parse_opts.c b/contrib/pg_tde/src/catalog/tde_keyring_parse_opts.c
index 91f4e3ccc31..2a20750d0c2 100644
--- a/contrib/pg_tde/src/catalog/tde_keyring_parse_opts.c
+++ b/contrib/pg_tde/src/catalog/tde_keyring_parse_opts.c
@@ -209,9 +209,15 @@ json_kring_array_start(void *state)
 			break;
 		case JK_EXPECT_TOP_FIELD:
 		case JK_EXPECT_EXTERN_VAL:
+			ereport(ERROR,
+					errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					errmsg("unexpected array in field \"%s\"", JK_FIELD_NAMES[parse->top_level_field]));
+			break;
 	}
 
-	return JSON_SUCCESS;
+	/* Never reached */
+	Assert(0);
+	return JSON_SEM_ACTION_FAILED;
 }
 
 /*