Auth0 Home Blog Docs

Help with leeway setting using Auth0-PHP



I’m new to Auth0 and auth0-php. I need to set the leeway option and I have no idea where to add the setting. An example would be great. I’m developing using SLIM 3.0, php 7.1.20 and Auth0-php 5.1.4.

Here is the error that I’m getting without the leeway setting.

Invalid Token Exception: errCode=401, statusText=Cannot handle token prior to 2018-08-23T15:19:15-0700 []

Based on my reading, leeway is the solution. I don’t know where to place it in my code.


Hey there Scott4! I see you were working on a support ticket with Kris previously but I wanted to reach out and confirm you were able to get the leeway option resolved successfully. Please feel free to let me know if you have any additional questions as I’m happy to help!


Hello Jim,

Thank you for reaching out. I thought I did get it working, but the next day I had the same issue. I had the leeway option on the JWTVerifier creation, but that doesn’t seem to be the right place. So, I placed a 5 second delay in my code and that solved the issue. Not the way I would like it to work.



I’m sorry to hear that Scott4 and I will definitely relay the feedback on expanding the documentation related to Leeway. If there is anything else further I can help you with, I would be happy to accommodate.


Hi Scott. Try setting the leeway for the jwt-php package, as instructed here:

It seems that the php-jwt library uses the “iat” (issued at) claim to validate when the token is valid from. There’s a bit of a controversy around this, as many feel that the “nbf” (not before) claim should be used for that validation (if present), and treat “iat” as merely informative. In any case, setting the leeway should work as a valid workaround.


Hello Nicolas_sabena,

I had tried that previous to bring the issue up. I’m using the Auth0-PHP library and the file I modified is Auth0JWT.php. Here is the code:


namespace Auth0\SDK;

 * This class provides access to Auth0 JWT decoder.
 * @author Auth0
 * @deprecated This class is provided to bring backward compatibility and will be soon removed. Use Auth0\SDK\JWTVerifier instead
class Auth0JWT {

  public static function decode($jwt, $valid_audiences, $client_secret, array $authorized_iss = [], $cache = null) {

    $verifier = new JWTVerifier([
        'valid_audiences' => is_array($valid_audiences) ? $valid_audiences : [$valid_audiences],
        'client_secret' => $client_secret,
        'authorized_iss' => $authorized_iss,
        'cache' => $cache,
        **'leeway' => 5,**

    return $verifier->verifyAndDecode($jwt);

This has no effect on the token generation problem. This is the reason for me asking where the leeway parameter should be set. Hope this helps and thank you again for reaching out.


The ** is only to highlight where the change was added. ‘**’ was not in the tested code.


There’s no leeway initialization option for the JWTVerifier AFAIK, so you’ll need to set the option directly for Firebase’ php-jwt module, with this:

**Somewhere in your project before the auth0 sdk is initialized add this line:

\Firebase\JWT\JWT::$leeway = X;


Ok, I get it now. This line \Firebase\JWT\JWT::$leeway = X; can be added to my code after the auto_loader and before the Auth0 code is instantiated. Thank you for your patients. My confusion was that I didn’t know that Auth0 was using Firebase package. I have removed the sleep(5) that I was using and run the tests. All passed without having the token issue. THANK YOU THANK YOU THANK YOU!!!


Thank you for your patience! Glad this is solved!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.