I am working with an API that states to use JWTs in the Authorization header for each request, and says that exp and iat are not optional. How do I determine what values I should use for iat and exp? Does it matter? What is stopping me from setting iat time to far in the past and exp time to whatever I'd like?
RFC7519 says about iat
The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.
and exp
The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.