m["accessKey"] = accessKey
	jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims(m))
	return jwt.SignedString([]byte(tokenSecret))
}

// ExtractClaims extracts JWT claims from a security token using a secret key
func ExtractClaims(token, secretKey string) (*jwt.MapClaims, error) {
	if token == "" || secretKey == "" {
		return nil, errors.New("invalid argument")
	}

	claims := jwt.NewMapClaims()

	// on the client side and is treated like an opaque value.
	claims, err := auth.ExtractClaims(token, secret)
	if err != nil {
		if subtle.ConstantTimeCompare([]byte(secret), []byte(globalActiveCred.SecretKey)) == 1 {
			return nil, errAuthentication
		}
		claims, err = auth.ExtractClaims(token, globalActiveCred.SecretKey)
		if err != nil {
			return nil, errAuthentication
		}
	}

				jwtClaims, err = auth.ExtractClaims(cred.SessionToken, cred.SecretKey)
				if err != nil {
					jwtClaims, err = auth.ExtractClaims(cred.SessionToken, globalActiveCred.SecretKey)
				}
			} else {
				var secretKey string
				secretKey, err = getTokenSigningKey()
				if err != nil {
					continue
				}
				jwtClaims, err = auth.ExtractClaims(cred.SessionToken, secretKey)
			}

			}
		}
	}
	secretKey, err := getTokenSigningKey()
	if err != nil {
		return errSRInvalidRequest(err)
	}

	// Verify the session token of the stsCred
	claims, err := auth.ExtractClaims(stsCred.SessionToken, secretKey)
	if err != nil {
		return fmt.Errorf("STS credential could not be verified: %w", err)
	}

	mapClaims := claims.Map()
	expiry, err := auth.ExpToInt64(mapClaims["exp"])