Wrong HTTP return code for expired JWT (exp claim)


I have an API with JWT set as authentication mode and a shared secret. I have created a HMAC-enabled Policy. Like some others, I ran into the “expired key” error after one hour but I have found the solution in the community. Now, it is working.

I still meet an issue : when I provide an expired JWT (with “exp” claim), I get a “403 Forbidden” status with the message “error”: “Key not authorized”.

The standard status code for this error should be “401 Unauthorized”. Is there any way to fix it ?

Thank you :slight_smile:

References :
(page 8)
And in response to a protected resource request with an
authentication attempt using an expired access token:

 HTTP/1.1 401 Unauthorized
 WWW-Authenticate: Bearer realm="example",
                   error_description="The access token expired"


Which version are you running?
Maybe I missunderstood but per this link tyk/mw_jwt.go at 5dafcffa01fca8a7defe99375df886476fdab799 · TykTechnologies/tyk · GitHub the code has been fix a while ago.


1 Like

Hello Yaara,

Thank you for your reply, I should have begun with that. I am currently running version 2.6.1 for the Gateway.

I have just checked, this was released on April 25th (if I am right), while this fix was made during May, I guess it is time for an update :wink:

Thank you :slight_smile: