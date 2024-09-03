When you look at that ttl claim, you probably think of time-to-live, because that’s what TTL typically stands for. So, this probably has to do with how long the JWT is valid. This must be the expiration time.

We can do some simple math here. Maybe 86,400,000 is the number of seconds, in which case the issuer intends this JWT to be valid for 1000 days. Or perhaps they mean milliseconds, in which case they intend this JWT to be valid for 1 day. That might make sense too.

But here’s the problem: The JWT spec says that expiration time is specified as exp, not ttl:

The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.

Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

So then, we’ve got a couple problems here.

First, the issuer of this JWT is using ttl to specify expiration, but ttl is not a standard JWT claim. Most libraries designed to handle JWTs will not recognize ttl as an instruction related to token expiration. This will lead to compatibility issues, and the token will most likely be treated as non-expiring.

Second, the exp claim requires an actual timestamp of expiration, not a relative number of milliseconds (or seconds) from the issue time. This confusion likely stems from using ttl rather than exp. Nonetheless, the issuer needs to understand the expected format for the exp claim to ensure proper token expiration.

Whether you neglect to set the expiration time for a JWT or you set it incorrectly (as in our example), your JWT will be treated as non-expiring. And this presents a significant security flaw.

Without proper expiration, a JWT can be reused by attackersor leak beyond their intended lifespan,increasing the risk of unauthorized access.