{ "id": "api/jwt-claims-validation-failed", "signature": "401 Unauthorized: JWT claims validation failed", "signature_zh": "401 未授权:JWT 声明验证失败", "regex": "401\\s+Unauthorized:\\s+JWT\\s+claims\\s+validation\\s+failed", "domain": "api", "category": "auth_error", "subcategory": null, "root_cause": "The JWT token's claims (e.g., audience, issuer, or expiration) do not match the server's expected values, often due to clock skew or misconfiguration.", "root_cause_type": "generic", "root_cause_zh": "JWT 令牌的声明(如受众、颁发者或过期时间)与服务器期望值不匹配,通常由时钟偏差或配置错误导致。", "versions": [ { "version": "spring-security 6.2.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "express-jwt 8.4.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "PyJWT 2.8.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "jsonwebtoken 9.0.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Token regeneration does not fix clock skew or misconfigured audience/issuer values; the new token will still be rejected.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "Disabling validation exposes the API to unauthorized access and token forgery.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "Changing the payload invalidates the signature, leading to a signature verification failure.", "fail_rate": 0.8, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Synchronize server and client clocks using NTP, then retry the request. For example, on Linux: `sudo ntpdate pool.ntp.org` or enable `systemd-timesyncd`.", "success_rate": 0.75, "how": "Synchronize server and client clocks using NTP, then retry the request. For example, on Linux: `sudo ntpdate pool.ntp.org` or enable `systemd-timesyncd`.", "condition": "", "sources": [] }, { "action": "In the server configuration, set a leeway for clock skew (e.g., 30 seconds). For express-jwt: `app.use(jwt({ secret: 'mysecret', clockTolerance: 30 }))`.", "success_rate": 0.85, "how": "In the server configuration, set a leeway for clock skew (e.g., 30 seconds). For express-jwt: `app.use(jwt({ secret: 'mysecret', clockTolerance: 30 }))`.", "condition": "", "sources": [] }, { "action": "Verify that the 'aud' (audience) and 'iss' (issuer) claims in the token match the server's expected values. Update the token generation code or server configuration accordingly.", "success_rate": 0.9, "how": "Verify that the 'aud' (audience) and 'iss' (issuer) claims in the token match the server's expected values. Update the token generation code or server configuration accordingly.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Synchronize server and client clocks using NTP, then retry the request. For example, on Linux: `sudo ntpdate pool.ntp.org` or enable `systemd-timesyncd`.", "In the server configuration, set a leeway for clock skew (e.g., 30 seconds). For express-jwt: `app.use(jwt({ secret: 'mysecret', clockTolerance: 30 }))`.", "Verify that the 'aud' (audience) and 'iss' (issuer) claims in the token match the server's expected values. Update the token generation code or server configuration accordingly." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://tools.ietf.org/html/rfc7519#section-4.1", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.85, "fix_success_rate": 0.8, "resolvable": "partial", "first_seen": "2024-03-15", "last_confirmed": "2024-06-01", "last_updated": "2025-01-20", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }