diff --git a/libs/authtoken/authtoken.go b/libs/authtoken/authtoken.go
index 0d4061ee96..90052e664a 100644
--- a/libs/authtoken/authtoken.go
+++ b/libs/authtoken/authtoken.go
@@ -24,7 +24,7 @@ func ExtractSignedPermissions(verifier jwt.Verifier, token string) ([]auth.Permi
 	if err := json.Unmarshal(tk.Claims(), p); err != nil {
 		return nil, err
 	}
-	if p.ExpiresAt.After(time.Now().UTC()) {
+	if p.ExpiresAt.Before(time.Now().UTC()) {
 		return nil, fmt.Errorf("token expired %s ago", time.Since(p.ExpiresAt))
 	}
 	return p.Allow, nil