What should the values of iat and exp be for JWTs?

1
votes

I am working with an API that states to use JWTs in the Authorization header for each request, and says that exp and iat are not optional. How do I determine what values I should use for iat and exp? Does it matter? What is stopping me from setting iat time to far in the past and exp time to whatever I'd like?

RFC7519 says about iat

The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

and exp

The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.

1
apijwtauthorizationbearer-token
When the API requires a JWT, it usually also has an endpoint to issue the token. It's usually not your responsibility to create the token like you want it but the API decides which values to use.jps
Thanks, that is what I thought. The document provided was worded in a way that it sounded like I myself would need to generate a JWT.karnosiris

1 Answers

0
votes

I figured I would answer this question incase someone else encounters some vague documentation that specifies this.

On my end, I was in fact required to create the JWT after providing a public key for the server. In each of my requests I would create the header, payload, and signature and send that as authorization.

The short answer is, I could set the iss and exp to any value I want: there wasn't any way to verify this on that server's end. The only reason to not set it so a token never expires by using a ridiculous exp value would be for security reasons.