There are some practical ideas in this thread, particularly in relation to avoiding local time reads, so that JWT generations are correct even after machine unsuspend:
There are some practical ideas in this thread, particularly in relation to avoiding local time reads, so that JWT generations are correct even after machine unsuspend: