From bffeb9c2e49b253995b1cd15809d2a86eec49456 Mon Sep 17 00:00:00 2001
From: William Edmisten <william.edmisten@reifyhealth.com>
Date: Thu, 1 Sep 2022 13:23:37 -0400
Subject: [PATCH 1/2] Invalidate exp when exp == now()

---
 jwt/api_jwt.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
index 91a6d2e8..a3917934 100644
--- a/jwt/api_jwt.py
+++ b/jwt/api_jwt.py
@@ -230,7 +230,7 @@ def _validate_exp(self, payload, now, leeway):
         except ValueError:
             raise DecodeError("Expiration Time claim (exp) must be an" " integer.")
 
-        if exp < (now - leeway):
+        if exp <= (now - leeway):
             raise ExpiredSignatureError("Signature has expired")
 
     def _validate_aud(self, payload, audience):

From 83842febf87f5d5a150fcd75e4800f004fb56d38 Mon Sep 17 00:00:00 2001
From: William Edmisten <william.edmisten@reifyhealth.com>
Date: Tue, 20 Sep 2022 08:42:46 -0400
Subject: [PATCH 2/2] Update changelog

---
 CHANGELOG.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index fb936fd0..24322031 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -13,6 +13,8 @@ Changed
 Fixed
 ~~~~~
 
+- Invalidate token on the exact second the token expires `#797 <https://github.com/jpadilla/pyjwt/pull/797>`_
+
 Added
 ~~~~~