Summary
When using HashiCorp Vault’s JWT or OIDC authentication method, you may encounter the following error:
error validating token: no issued at (iat), not before (nbf), or expiration time (exp) claims in token
This article explains the possible cause of the error and how to resolve it.
Possible cause
Vault requires all JWT tokens to include below claims to validate the token’s lifecycle. These are:
- iat (Issued At)
- nbf (Not Before)
- exp (Expiration Time)
The error occurs when one or more of these claims are missing from the JWT. Vault uses them to ensure the token is currently valid and hasn’t expired or been used prematurely.
Resolution
Update Your JWT Issuer to Include Required Claims :
Ensure that the JWT token being passed to Vault includes the following claims:
- iat (Issued At)
- nbf (Not Before)
- exp (Expiration Time)
Example JWT payload:
{
"sub": "user@example.com",
"aud": "vault",
"iat": 1713445200,
"nbf": 1713445200,
"exp": 1713448800
}
You can inspect your token using https://jwt.io or any JWT decoding tool to verify these claims.
Update role config to disable not_before_leeway and expiration_leeway :
not_before_leeway and expiration_leeway are configurable parameters for jwt auth role to account for clock skew in the exp and nbf claim respectively. Both of these default to 150 seconds and can be disabled by setting its value to "-1" .
In case all required claims are set and subjected error is encountered during authentication, change the value of the two parameters in the role to "-1".
Best practices
- Decode and inspect your JWT using jwt.io or a JWT CLI tool.
- Check IdP (Identity Provider) configuration or token generation method to ensure the required claims are present.
- Review Vault server logs with trace mode enabled:
vault server -log-level=trace
References