diff --git a/lib/go/edgecontext/req_context.go b/lib/go/edgecontext/req_context.go
index 51d9c67..bade0e5 100644
--- a/lib/go/edgecontext/req_context.go
+++ b/lib/go/edgecontext/req_context.go
@@ -7,6 +7,7 @@ import (
 	"sync"
 
 	"github.com/gofrs/uuid"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/reddit/baseplate.go/experiments"
 )
 
@@ -47,8 +48,9 @@ func (e *EdgeRequestContext) getCtx() context.Context {
 func (e *EdgeRequestContext) AuthToken() *AuthenticationToken {
 	e.tokenOnce.Do(func() {
 		if token, err := e.impl.ValidateToken(e.raw.AuthToken); err != nil {
-			// empty jwt token is considered "normal", no need to spam them in logs.
-			if !errors.Is(err, ErrEmptyToken) {
+			// empty jwt token is considered "normal", no need to spam them in logs. likewise, expired JWT is "normal"
+			// and not exceptional.
+			if !errors.Is(err, ErrEmptyToken) || !errors.Is(err, jwt.ErrTokenExpired) {
 				e.impl.logger.Log(e.getCtx(), "token validation failed: "+err.Error())
 			}
 			e.token = nil
diff --git a/lib/go/edgecontext/validator_test.go b/lib/go/edgecontext/validator_test.go
index 6fa65b4..116bb1d 100644
--- a/lib/go/edgecontext/validator_test.go
+++ b/lib/go/edgecontext/validator_test.go
@@ -40,6 +40,11 @@ func TestInvalidToken(t *testing.T) {
 			token: `eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0Ml9leGFtcGxlIiwiZXhwIjoyNTI0NjA4MDAwfQ.foobar`,
 			want:  jwt.ErrTokenSignatureInvalid,
 		},
+		{
+			name:  "expired",
+			token: `eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0Ml9leGFtcGxlIiwiZXhwIjoxMjYyMzA0MDAwfQ.iUD0J2blW-HGtH86s66msBXymCRCgyxAZJ6xX2_SXD-kegm-KjOlIemMWFZtsNv9DJI147cNP81_gssewvUnhIHLVvXWCTOROasXbA9Yf2GUsjxoGSB7474ziPOZquAJKo8ikERlhOOVk3r4xZIIYCuc4vGZ7NfqFxjDGKAWj5Tt4VUiWXK1AdxQck24GyNOSXs677vIJnoD8EkgWqNuuwY-iFOAPVcoHmEuzhU_yUeQnY8D-VztJkip5-YPEnuuf-dTSmPbdm9ZTOP8gjTsG0Sdvb9NdLId0nEwawRy8CfFEGQulqHgd1bqTm25U-NyXQi7zroi1GEdykZ3w9fVNQ`,
+			want:  jwt.ErrTokenExpired,
+		},
 	}
 
 	for _, _c := range cases {