All JWT tokens must have an expiry time.
If we remove the exp field(for our tests or any other hack), the JWT token validation passes.
Shouldn’t we have an option like the one created by Go in their new library, which enforces a check on the expiration time, as having no exp in the token doesn’t make sense.
What is your take on this?
Hi @ayush.parwal,
Welcome to the Auth0 Community!
Firstly, JWT tokens are immutable and the exp claim is part of the JWT reserved claims that are not required, but are recommended to allow operability with third-party-apps. (Reference: JSON Web Token Claims)
Is there a reason why you have decided to remove the exp claim? In general, you should keep the exp claim.
Additionally, could you confirm if you removed the exp claim after the JWT has been signed and issued?
Thanks,
Rueben