Skip to content

JWT expired

The JWT’s exp (expiration) claim is in the past, or the claim is missing.

  • The token’s payload.exp (epoch seconds) is less than or equal to the server’s current wall-clock time.
  • The token has no exp claim at all - Citizenry refuses to verify tokens that do not bind themselves to a lifetime.
  • Clock skew is not absorbed by Citizenry; clients should mint tokens with a comfortable margin (recommended: exp = now + 600).
  • Mint a fresh JWT and retry. The minting key remains valid; only the token has aged out.
  • If you are caching JWTs client-side, drop the entry and re-sign.
  • If clock skew is suspected, ensure your client’s wall clock is synced (NTP or equivalent).
  • Raised by: packages/identity/src/auth.ts - verifyAgentJwt step (6).
  • Guard: if (!payload.exp || payload.exp <= now) throw new AuthError(...).
{
"type": "https://citizenry.id/errors/ERR-P01-IDT-1003",
"title": "JWT expired",
"status": 401,
"code": "ERR-P01-IDT-1003",
"message": "JWT expired",
"detail": { "exp": 1715923200, "now": 1715926800 },
"method": "GET",
"instance": "/v1/agent/me",
"request_url": "https://api.citizenry.id/v1/agent/me",
"timestamp": "2026-05-17T07:00:00.000Z"
}
  • 0.1.0 - introduced.