Cannot handle token prior to <timestamp>

Using PHP, on my local dev environment, I use the Auth0 code (v5) to redirect and Authenticate. Once authenticated, I am redirected back to my starting page and I receive a Core Exception:

Fatal error: Uncaught Auth0\SDK\Exception\CoreException: Cannot handle token prior to 2019-06-12T13:22:16+0000 in /Users/paulshriner/Documents/Reach/AudienceOptimizer-UI/vendor/auth0/auth0-php/src/JWTVerifier.php:226
Stack trace:
#0 /Users/paulshriner/Documents/Reach/AudienceOptimizer-UI/vendor/auth0/auth0-php/src/Auth0.php(659): Auth0\SDK\JWTVerifier->verifyAndDecode(‘eyJ0eXAiOiJKV1Q…’)
#1 /Users/paulshriner/Documents/Reach/AudienceOptimizer-UI/vendor/auth0/auth0-php/src/Auth0.php(556): Auth0\SDK\Auth0->setIdToken(‘eyJ0eXAiOiJKV1Q…’)
#2 /Users/paulshriner/Documents/Reach/AudienceOptimizer-UI/vendor/auth0/auth0-php/src/Auth0.php(458): Auth0\SDK\Auth0->exchange()
#3 /Users/paulshriner/Documents/Reach/AudienceOptimizer-UI/EmailFiles.php(23): Auth0\SDK\Auth0->getUser()
#4 {main}
thrown in /Users/paulshriner/Documents/Reach/AudienceOptimizer-UI/vendor/auth0/auth0-php/src/JWTVerifier.php on line 226

This is new code, so it has not worked previously. The werid thing is the TimeStamp is returning UTC. My local machine is running in EST, so that could absolutely be the source of a TS-offset. I tried to adjust the Leeway setting to no avail.

Here is a copy of the code (values removed.) It is pretty vanilla:

use Auth0\SDK\Auth0;

$auth0 = new Auth0([
    'domain' => '',
    'client_id' => '',
    'client_secret' => '',
    'redirect_uri' => 'http://localhost:8888/AudienceOptimizer-UI/EmailFiles.php',
    'persist_id_token' => true,
    'persist_access_token' => true,
    'persist_refresh_token' => true

  $userInfo = $auth0->getUser();

  if (!$userInfo) {
} else {
    echo "YES->>>>>> " . $userInfo["user_id"];

Mostly to document my journey, I thought I would update my post as I go with progress, for anyone attempting to help or for future readers facing the same problem.

I think that the problem is timestamp used to compare against the exp property from the payload response. In the JWT.php which originates that exception, there are two clues:

     * Allow the current timestamp to be specified.
     * Useful for fixing a value within unit testing.
     * Will default to PHP time() value if null.
    public static $timestamp = null;

time() will always come back in UTC. Line 71, will let you set that value.

$timestamp = is_null(static::$timestamp) ? time() : static::$timestamp;

Short Answer RTFM!

Long Answer:


* You can add a leeway to account for when there is a clock skew times between

* the signing and verifying servers. It is recommended that this leeway should

* not be bigger than a few minutes.


* Source:


JWT::$leeway = 60; // $leeway in seconds
1 Like