diff --git a/SatelliteProvider.IntegrationTests/JwtTestHelpers.cs b/SatelliteProvider.IntegrationTests/JwtTestHelpers.cs
index c49a7c3..5cf0f6d 100644
--- a/SatelliteProvider.IntegrationTests/JwtTestHelpers.cs
+++ b/SatelliteProvider.IntegrationTests/JwtTestHelpers.cs
@@ -39,6 +39,10 @@ public static class JwtTestHelpers
         var credentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
 
         var now = DateTime.UtcNow;
+        var expires = now.Add(lifetime ?? TimeSpan.FromHours(1));
+        // JwtSecurityToken rejects Expires <= NotBefore. Shift NotBefore
+        // behind Expires for the expired-token test fixture.
+        var notBefore = expires <= now ? expires.AddMinutes(-5) : now;
         var claims = new List<Claim>
         {
             new(JwtRegisteredClaimNames.Sub, subject),
@@ -53,8 +57,8 @@ public static class JwtTestHelpers
             issuer: null,
             audience: null,
             claims: claims,
-            notBefore: now,
-            expires: now.Add(lifetime ?? TimeSpan.FromHours(1)),
+            notBefore: notBefore,
+            expires: expires,
             signingCredentials: credentials);
 
         return new JwtSecurityTokenHandler().WriteToken(token);