Configuration & Environment

JWT issued without expiration

HIGHCWE: CWE-613Rule: MCP-231

MCP server issues JWTs without an `exp` claim — any token, once leaked, is valid forever, eliminating revocation as a defense.

What it is

The `exp` claim is the JWT spec's expiration mechanism. Without it, a leaked token is permanently valid and there's no graceful rotation story — the only recovery is rotating the signing key, which invalidates every issued token at once. Short-lived tokens (15-30 minutes) limit the blast radius of any single leak.

Why it matters for MCP

Long-lived MCP server sessions encourage developers to issue long-lived tokens for ergonomic reasons. The cost is reversed when a token leaks: instead of a 30-minute exposure window, it's an indefinite one. Combined with token-passthrough patterns (MCP-265), a single leaked MCP-server token can be replayed to multiple downstream APIs forever.

Vulnerable example

example.py

import jwt

def issue_token(user_id: str) -> str:
    payload = {"sub": user_id, "scope": "read"}
    return jwt.encode(payload, KEY, algorithm="RS256")

Secure example

example.py

import jwt
from datetime import datetime, timedelta, timezone

def issue_token(user_id: str) -> str:
    now = datetime.now(timezone.utc)
    payload = {
        "sub": user_id,
        "scope": "read",
        "iat": now,
        "exp": now + timedelta(minutes=15),
    }
    return jwt.encode(payload, KEY, algorithm="RS256")

How MCPSafe detects this

MCPSafe flags `jwt.encode(...)` / `jsonwebtoken.sign(...)` calls whose payload object lacks an `exp` field. Calls that pass `expiresIn:` (jsonwebtoken) or include `exp` in the payload dict are exempted.

See the full threat catalog for every documented detection.

Scan an MCP server for this issue

MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.

Scan now

← Threat Catalog

Configuration & Environment

JWT issued without expiration

HIGHCWE: CWE-613Rule: MCP-231

MCP server issues JWTs without an `exp` claim — any token, once leaked, is valid forever, eliminating revocation as a defense.

What it is

Why it matters for MCP

Vulnerable example

example.py

import jwt

def issue_token(user_id: str) -> str:
    payload = {"sub": user_id, "scope": "read"}
    return jwt.encode(payload, KEY, algorithm="RS256")

Secure example

example.py

import jwt
from datetime import datetime, timedelta, timezone

def issue_token(user_id: str) -> str:
    now = datetime.now(timezone.utc)
    payload = {
        "sub": user_id,
        "scope": "read",
        "iat": now,
        "exp": now + timedelta(minutes=15),
    }
    return jwt.encode(payload, KEY, algorithm="RS256")

How MCPSafe detects this

See the full threat catalog for every documented detection.

Scan an MCP server for this issue

MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.

Scan now

JWT issued without expiration

What it is

Why it matters for MCP

Vulnerable example

Secure example

How MCPSafe detects this

Further reading

Scan an MCP server for this issue

JWT issued without expiration

What it is

Why it matters for MCP

Vulnerable example

Secure example

How MCPSafe detects this

Further reading

Scan an MCP server for this issue

1	import jwt
2
3	def issue_token(user_id: str) -> str:
4	payload = {"sub": user_id, "scope": "read"}
5	return jwt.encode(payload, KEY, algorithm="RS256")

1	import jwt
2	from datetime import datetime, timedelta, timezone
3
4	def issue_token(user_id: str) -> str:
5	now = datetime.now(timezone.utc)
6	payload = {
7	"sub": user_id,
8	"scope": "read",
9	"iat": now,
10	"exp": now + timedelta(minutes=15),
11	}
12	return jwt.encode(payload, KEY, algorithm="RS256")