JWS lifetime exceeded
ERR-P01-IDT-1012 - JWS lifetime exceeded
Section titled “ERR-P01-IDT-1012 - JWS lifetime exceeded”Summary
Section titled “Summary”A body-signed request declares a validity window wider than the server’s
recommended maximum (exp - iat too large).
When this is raised
Section titled “When this is raised”- The JWS payload’s
exp - iatspan exceeds the recommended maximum lifetime for a self-service body JWS. - Unlike
ERR-P01-IDT-1003(the token is simply pastexp), this rejects a token whose requested lifetime is too long to be accepted at all, limiting the blast radius of a leaked single-use JWS.
What to do
Section titled “What to do”- Mint the JWS with a short, bounded lifetime - set
expclose toiat(a small number of minutes is ample for a single self-service call). - Do not pre-mint long-lived signed requests; sign just before sending.
Server-side cause
Section titled “Server-side cause”- Reserved - will be raised by the
/v1/agent/merotate-key / self-revoke flow; not yet wired (packages/identity/src/service/me.ts, whererotateKeyandselfRevokecurrently thrownot implemented).
Example response
Section titled “Example response”{ "type": "https://citizenry.id/errors/ERR-P01-IDT-1012", "title": "Unauthorized", "status": 401, "code": "ERR-P01-IDT-1012", "message": "JWS lifetime exceeds the allowed maximum", "method": "POST", "instance": "/v1/agent/me/rotate-key", "request_url": "https://api.citizenry.id/v1/agent/me/rotate-key", "timestamp": "2026-05-17T07:00:00.000Z"}Related codes
Section titled “Related codes”ERR-P01-IDT-1010- JWS replay.ERR-P01-IDT-1011- JWS action mismatch.
Changelog
Section titled “Changelog”- 0.1.0 - introduced.