iat (Issued At) Claim
The iat (issued at) claim is a registered JWT NumericDate indicating when the token was created, in seconds since Unix epoch. It supports freshness policies, audit logging, and maximum token age checks beyond exp. Some systems reject tokens older than a threshold even if exp has not passed. iat should be set at issuance and must not be trusted if the signature is invalid. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail.
Why It Matters
iat helps detect replayed stale tokens and debug clock skew between services. Combine iat with exp for complete lifetime visibility in logs. Do not rely on iat alone for revocation — pair with short exp and server-side controls. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses.
Code Example
{
"sub": "user_42",
"iat": 1720450800,
"exp": 1720454400
}Related Terms
Related Tools
Related Articles
Frequently Asked Questions
Is iat required?
Optional per RFC 7519, but recommended for observability and custom max-age validation policies. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts. Test edge cases with expired, malformed, and wrong-algorithm tokens in CI before shipping auth changes.
Can iat be in the future?
It should not be. Reject tokens with iat significantly ahead of verifier time, accounting for small skew. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.
iat vs exp?
iat marks creation time; exp marks invalidation time. Together they define the token lifetime window. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.