diff --git a/src/TokenHandler.js b/src/TokenHandler.js
index f6dbf7e2..b673d883 100644
--- a/src/TokenHandler.js
+++ b/src/TokenHandler.js
@@ -192,9 +192,10 @@ class TokenHandler extends SMARTHandler {
                 if (key.kid !== validated.header.kid) {
                     console.error(`Expected JWT kid (${validated.header.kid}) to match (${key.kid})`);
                 }
-                const now = Math.floor(Date.now() / 1000);
-                if (now > payload.exp) {
-                    console.error(`${now}: JWT expired at ${payload.exp}, ${now - payload.exp} seconds ago`);
+                const fiveMinutesFromNow = Math.floor(Date.now() / 1000) + 300;
+                if (payload.exp > fiveMinutesFromNow) {
+                    const error = `JWT expiration (${payload.exp}) is too permissive, should be no greater than 5 minutes.`;
+                    console.error(error);
                 }
                 if (payload.iss !== payload.sub) {
                     console.error(`Mismatched JWT iss (${payload.iss}) != sub (${payload.sub})`);