oauth2.dev

exp

IESG

Registry Context

The `exp` claim identifies the time on or after which a JWT must not be accepted for processing.

Technical Summary

The `exp` value must be a number containing a NumericDate value. Processing requires the current date and time to be before the expiration time, although implementers may allow small clock-skew leeway.

When Used

Used to specify a JWT's expiration time; use of the claim is optional.

Normative Requirements

Implementers

MAY
1
  1. RFC 7519 - Section 4.1.4

    provide some small leeway, usually no more than a few minutes, to account for clock skew..

    Condition: When processing an `exp` claim.

    Implementers MAY provide for some small leeway

JWT issuer

MUST
1
  1. RFC 7519 - Section 4.1.4

    encode the `exp` value as a number containing a NumericDate value..

    Condition: When including an `exp` claim in a JWT.

    Its value MUST be a number containing a NumericDate value.

OPTIONAL
1
  1. RFC 7519 - Section 4.1.4

    include the `exp` claim in a JWT..

    Use of this claim is OPTIONAL.

JWT processor

MUST NOT
1
  1. RFC 7519 - Section 4.1.4

    accept the JWT for processing on or after the expiration time identified by `exp`..

    Condition: When processing a JWT containing an `exp` claim.

    the JWT MUST NOT be accepted for processing

MUST
1
  1. RFC 7519 - Section 4.1.4

    ensure that the current date and time is before the expiration date and time listed in `exp`..

    Condition: When processing an `exp` claim.

    the current date/time MUST be before the expiration date/time

Validation Guidance

error

Verify that an included `exp` value is a number containing a NumericDate value.

error

Do not accept a JWT for processing when the current time is at or after `exp`.

warning

If clock-skew leeway is allowed, keep it small, usually no more than a few minutes.

info

Do not require `exp` solely because RFC 7519 defines the claim; its use is optional.

Security Notes

RFC 7519 - Section 4.1.4

Enforcing the expiration-time check prevents a JWT from being accepted for processing on or after its stated expiration time.

Reference

Details

Entry Id
exp
Claim Name
exp
Claim Description
Expiration Time
Change Controller
IESG
Reference
RFC7519 - Section 4.1.4