Hacker News new | past | comments | ask | show | jobs | submit login

Expirations are not really relevant to this. It won't prevent a user from forging new tokens with a different expiration (using a broken algorithm), nor will it somehow magically make the original token unreadable.

The expiration is just an additional value in the payload that the implementation is supposed to check against.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact