Hi, We have a keycloak set up where the Access Token Lifespan is set to 5 minutes. We get the access token using the following command : curl -d "client_id=admin-cli" -d "username=admin_user" -d "password=admin_user" -d "grant_type=password" " http://192.168.56.101:8080/auth/realms/REALM/protocol/openid-connect/token " Now we use the following command to get the user details curl -H "Authorization: bearer "access token value got earlier" " http://192.168.56.101:8080/auth/realms/REALM/protocol/openi d-connect/userinfo" The expectation is that the second command works till the token expiry time which is 5 minutes and after 5 minutes the token not valid error should be seen. But while running the tests multiple times, we are seeing that sometimes the token is valid for more than 5 minutes by almost 500 milliseconds. From the RFC for JWT https://tools.ietf.org/html/rfc7519 4.1.4. "exp" (Expiration Time) Claim The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL. So is this delay intentional from the keycloak implementors ? Thanks Rahul