- Published on
Server A issues a JWT. Server B validates it 2 seconds later but thinks the token was issued in the future — invalid. Or a token that should be expired is still accepted because the validating server's clock is 5 minutes behind. Clock skew causes authentication failures and security holes.