# 401 未授权：JWT 声明验证失败

- **ID:** `api/jwt-claims-validation-failed`
- **领域:** api
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 80%

## 根因

JWT 令牌的声明（如受众、颁发者或过期时间）与服务器期望值不匹配，通常由时钟偏差或配置错误导致。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| spring-security 6.2.0 | active | — | — |
| express-jwt 8.4.0 | active | — | — |
| PyJWT 2.8.0 | active | — | — |
| jsonwebtoken 9.0.0 | active | — | — |

## 解决方案

1. ```
   Synchronize server and client clocks using NTP, then retry the request. For example, on Linux: `sudo ntpdate pool.ntp.org` or enable `systemd-timesyncd`.
   ```
2. ```
   In the server configuration, set a leeway for clock skew (e.g., 30 seconds). For express-jwt: `app.use(jwt({ secret: 'mysecret', clockTolerance: 30 }))`.
   ```
3. ```
   Verify that the 'aud' (audience) and 'iss' (issuer) claims in the token match the server's expected values. Update the token generation code or server configuration accordingly.
   ```

## 无效尝试

- **** — Token regeneration does not fix clock skew or misconfigured audience/issuer values; the new token will still be rejected. (70% 失败率)
- **** — Disabling validation exposes the API to unauthorized access and token forgery. (90% 失败率)
- **** — Changing the payload invalidates the signature, leading to a signature verification failure. (80% 失败率)