I was playing around with ROR and jwt (notably using https://www.jsonwebtoken.io/ for jwt generation) and I found something weird.
When I do change the expiry (exp field) to something which is already expired - like 1 second after emitting - the authentication is still considered valid and I can still access the cluster using the same JWT. Is it a known bug or am I doing something wrong ?