The exp and nbf claims should be used to validate the token lifetime, but the iat should be treated as merely informative.
The JWT spec does not indicate any validation for iat. Other libraries like .Net also don't use iat (e.g. here).