diff --git a/lib/KeyStore.ts b/lib/KeyStore.ts
index 882c010..1979e98 100644
--- a/lib/KeyStore.ts
+++ b/lib/KeyStore.ts
@@ -11,6 +11,10 @@ class KeyStore {
       return this._keys[key];
 
     if (valid_for !== 0) {
+      if ((iat + valid_for) * 1000 < (new Date)
+        .getTime ())
+        throw new Error ('cannot create already expired keys');
+
       this._keys[key] = create_salt ();
       setTimeout (() => {
         delete this._keys[key];
diff --git a/test/spec/KeyStore.ts b/test/spec/KeyStore.ts
index 96c3ec0..1bafbe8 100644
--- a/test/spec/KeyStore.ts
+++ b/test/spec/KeyStore.ts
@@ -79,6 +79,14 @@ describe ('key store', () => {
       .toEqual (keys[1].key);
   });
 
+  it ('should reject key generation of expired keys', () => {
+    const iat = ((new Date)
+      .getTime () / 1000) - 10;
+    const duration = 5;
+    expect (() => ks.get_key (iat, duration))
+      .toThrowError ('cannot create already expired keys');
+  });
+
   afterAll (() => {
     jasmine.clock ()
       .uninstall ();