API returns 401, The request is with a future issuance timestamp (iat)

Fireblocks signature uses JWT which includes IAT field, issued at. I am using utc time, as recommended.

Fireblocks api is returning 401, with message that IAT is in the future. (The request is with a future issuance timestamp (iat).)

However, the IAT value of my JWT is in sync with https://www.utctime.net/ and Current UTC — Coordinated Universal Time to the second.

I guess it is possible to adjust move my clock behind 1 second at a time until errors stops, but of course this is a hacky approach and totally unreliable when it comes to prod deployment.

What can I try?

Hi @stde

Alec from Fireblocks Support here. Are you using one of our official SDKs (JS or Python)? If so, then please re-synchronize your system clock. If not, and you are sure that your system clock is synced, please ensure that your IAT value is in milliseconds. If these steps don’t help, please share how you are generating the IAT timestamp.

Thanks your reply. The timestamp is generated in standard manner for dotnet, that is

var descriptor = new SecurityTokenDescriptor
{
    IssuedAt = DateTime.UtcNow,
    Expires = DateTime.UtcNow.AddSeconds(29)
};

This creates a token whose IAT is the number of seconds since 1/1/1970.

Same code works for some of the requests, but fails for others.
eg. works for [POST /v1/vault/accounts] and [POST /v1/vault/accounts/:vaultId/:assetId]
eg. fails for [POST /v1/vault/accounts/:vaultId/set_customer_ref_id]

I"m having the same issue. I’m usign the Python SDK and my system clock is synchronized. What should I do?