Okay so the documentation isn't very clear, but maybe this section on authenticating with JWT is implying that the 'exp' can be at most 10 minutes later than the 'iat'? If this is the case, then I think that 1. The documentation needs to be more clear that 10 minutes is the maximum time hardcoded into the GitHub server (I've been misinterpreting that section to mean "in this example, 10 minutes is the maximum amount of time this token will be available for") 2. The GitHub server should be lenient within a few seconds, because I think I was getting rounding errors when creating a token at "00:00:00.8", setting the expiration for "00:10:00.8", and both of them rounding up when casting to an integer, creating an exp 10 minutes and 1 second into the future.
... View more