diff --git a/v2/auth/jwt.go b/v2/auth/jwt.go
index b0686944..d3087a0f 100644
--- a/v2/auth/jwt.go
+++ b/v2/auth/jwt.go
@@ -19,17 +19,17 @@ func IsTokenValid(token string, tokenExpireDurationDiff time.Duration) bool {
 		return false
 	}
 
-	ts := time.Now().Add(tokenExpireDurationDiff)
+	ts := time.Now()
 
-	if claims.ExpiresAt != nil && ts.Before(claims.ExpiresAt.Time) {
+	if claims.ExpiresAt != nil && ts.After(claims.ExpiresAt.Time.Add(-tokenExpireDurationDiff)) {
 		return false
 	}
 
-	if claims.IssuedAt != nil && ts.After(claims.IssuedAt.Time) {
+	if claims.IssuedAt != nil && ts.Before(claims.IssuedAt.Time) {
 		return false
 	}
 
-	if claims.NotBefore != nil && ts.After(claims.NotBefore.Time) {
+	if claims.NotBefore != nil && ts.Before(claims.NotBefore.Time) {
 		return false
 	}
 
diff --git a/v2/auth/jwt_test.go b/v2/auth/jwt_test.go
new file mode 100644
index 00000000..f1f37985
--- /dev/null
+++ b/v2/auth/jwt_test.go
@@ -0,0 +1,66 @@
+package auth
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func Test_IsTokenValid(t *testing.T) {
+	mySigningKey := []byte("test_key")
+	ts := time.Now()
+	tests := []struct {
+		expiresAt, issuedAt time.Time
+		name                string
+		expireDurationDiff  time.Duration
+		expected            bool
+	}{
+		{
+			name:               "valid claims",
+			expiresAt:          ts.Add(time.Hour),
+			expireDurationDiff: time.Minute * 5,
+			issuedAt:           ts.Add(-(time.Minute * 10)),
+			expected:           true,
+		},
+		{
+			name:               "issuedAt in future",
+			expiresAt:          ts.Add(time.Hour),
+			expireDurationDiff: time.Minute * 5,
+			issuedAt:           ts.Add(time.Hour),
+			expected:           false,
+		},
+		{
+			name:               "tokenexpiration inside diff window",
+			expiresAt:          ts.Add(time.Minute * 4),
+			expireDurationDiff: time.Minute * 5,
+			issuedAt:           ts,
+			expected:           false,
+		},
+		{
+			name:               "token expired",
+			expiresAt:          ts.Add(-time.Minute),
+			expireDurationDiff: 0,
+			issuedAt:           ts.Add(-(time.Minute * 10)),
+			expected:           false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			claims := &jwt.RegisteredClaims{
+				ExpiresAt: &jwt.NumericDate{Time: test.expiresAt},
+				IssuedAt:  &jwt.NumericDate{Time: test.issuedAt},
+				Issuer:    "test",
+			}
+
+			token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+			ss, err := token.SignedString(mySigningKey)
+
+			require.NoError(t, err)
+			require.Equal(t, test.expected, IsTokenValid(ss, test.expireDurationDiff))
+		})
+	}
+}