Clarification on "SHORTEST POSSIBLE EXPIRATION" recommendation for JWTs

[dylanratcliffe]

Under the Automated sign up services - JWT and NKEY libraries section of the In Depth JWT Guide it states:

For sign up service issued JWTs, ALWAYS set the SHORTEST POSSIBLE EXPIRATION

As far as I can understand the expiration for a JWT is set as UNIX epoch, and therefore the shortest possible expiration would be some negative value as you could set the expiry time to be in the past, or to the same time as the creation time. I doubt that the intention here is to insist that all JWT issued by custom signup services expire immediately, but as far as I can tell that's what it's saying.

It would be good if instead this explained why someone might wan to have a short expiration, or why you might not want to have a long expiration as I'm not really sure what the implications are. Similarly it would be good to understand how NATS clients handle expired tokens and if there's anything special we need to do if tokens are expiring frequently. Especially given that account JWTs need to be loaded into the NATS infrastructure. If I had 1000 accounts with JWTs that expired every minute surely that would be wasteful.