JSON Web Key (JWK) expiration, not-before and issued-at times

A JWK can include expiration (exp), not-before (nbf) and issued-at (iat) time attributes. The attribute names and their semantics are identical to the JWT claims.

  • exp -- The key expiration time.
  • nbf -- The key use not-before time.
  • iat -- The key issue time.

All times are represented as an integer number of seconds since the Unix epoch.

Example RSA JWK with nbf and exp to indicate its time window of validity:

    "kty" : "RSA",
    "n"   : "5s4qi...",
    "e"   : "AQAB",
    "use" : "sig",
    "kid" : "c748ab7f-d674-456b-ade8-178d532d2fe0",
    "nbf" : 1672571260,
    "exp" : 1672574860

To generate an RSA JWK and set a validity time window of 24 hours:

import java.util.*;
import com.nimbusds.jose.jwk.*;
import com.nimbusds.jose.jwk.gen.*;

Date now = new Date();
Date nbf = now;
Date exp = nbf.getTime() + 24 * 60 * 60 * 1000; // ms precision

RSAKey jwk = new RSAKeyGenerator(2048)

To build an RSA JWK from a Java RSAPublicKey and record its issue time:

import java.security.interfaces.*;
import java.util.*;
import com.nimbusds.jose.jwk.*;

RSAPublicKey publicKey = ...;

Date iat = new Date();

RSAKey jwk = new RSAKey.Builder(publicKey)

When parsing X.509 certificates the JWK exp and nbf will be set to the certificate's not-after and not-before attributes.