You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The comment said the JWT lifetime is "capped at 5 minutes" but
the code only used 5 minutes as a default — callers could pass
arbitrarily large lifetimeSec and produce tokens the JSS verifier
would later reject for exceeding MAX_LIFETIME (3600s).
Now enforces the same 3600s cap at sign time so we don't mint
tokens the server will refuse, and rejects non-numeric / non-positive
input. Comment updated to describe the actual behavior (default
300s, enforced cap 3600s, matches server).
0 commit comments