diff --git a/util/security/registry_jwt.py b/util/security/registry_jwt.py
index be110f1a7..816649c12 100644
--- a/util/security/registry_jwt.py
+++ b/util/security/registry_jwt.py
@@ -9,6 +9,10 @@ logger = logging.getLogger(__name__)
 ANONYMOUS_SUB = '(anonymous)'
 ALGORITHM = 'RS256'
 
+# The number of allowed seconds of clock skew for a JWT. We pad the iat, nbf and exp with this
+# count.
+JWT_CLOCK_SKEW_SECONDS = 10
+
 
 class InvalidBearerTokenException(Exception):
   pass
@@ -76,9 +80,9 @@ def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer,
   token_data = {
     'iss': issuer,
     'aud': audience,
-    'nbf': int(time.time()),
-    'iat': int(time.time()),
-    'exp': int(time.time() + lifetime_s),
+    'nbf': int(time.time()) - JWT_CLOCK_SKEW_SECONDS,
+    'iat': int(time.time()) - JWT_CLOCK_SKEW_SECONDS,
+    'exp': int(time.time() + lifetime_s) + JWT_CLOCK_SKEW_SECONDS,
     'sub': subject,
     'access': access,
     'context': context,