diff --git a/CHANGES-5.0.md b/CHANGES-5.0.md
index 269115c93..76cbae1da 100644
--- a/CHANGES-5.0.md
+++ b/CHANGES-5.0.md
@@ -5,6 +5,7 @@
 * Websocket listener failed to read headers `X-Forwared-For` and `X-Forwarded-Port` [8415](https://github.com/emqx/emqx/pull/8415)
 * Deleted `cluster_singleton` from MQTT bridge config document. This config is no longer applicable in 5.0 [8407](https://github.com/emqx/emqx/pull/8407)
 * Fix `emqx/emqx:latest` docker image publish to use the Erlang flavor, but not Elixir flavor [8414](https://github.com/emqx/emqx/pull/8414)
+* Changed the `exp` field in JWT auth to be optional rather than required to fix backwards compatability with 4.X releases. [8425](https://github.com/emqx/emqx/pull/8425)
 
 # 5.0.2
 
@@ -14,14 +15,14 @@ Going forward, it will be an enterprise only feature.
 Main reason: relup requires carefully crafted upgrade instructions from ALL previous versions.
 
 For example, 4.3 is now at 4.3.16, we have `4.3.0->4.3.16`, `4.3.1->4.3.16`, ... 16 such upgrade paths in total to maintain.
-This had been the biggest obstacle for EMQX team to act agile enought in deliverying enhancements and fixes.
+This had been the biggest obstacle for EMQX team to act agile enough in deliverying enhancements and fixes.
 
 ## Enhancements
 
 ## Bug fixes
 
 * Fixed a typo in `bin/emqx` which affects MacOs release when trying to enable Erlang distribution over TLS [8398](https://github.com/emqx/emqx/pull/8398)
-* Ristricted shell was accidentally disabled in 5.0.1, it has been added back. [8396]{https://github.com/emqx/emqx/pull/8396)
+* Restricted shell was accidentally disabled in 5.0.1, it has been added back. [8396](https://github.com/emqx/emqx/pull/8396)
 
 # 5.0.1
 
diff --git a/apps/emqx_authn/src/emqx_authn.app.src b/apps/emqx_authn/src/emqx_authn.app.src
index 09ccfb358..eebd3d90e 100644
--- a/apps/emqx_authn/src/emqx_authn.app.src
+++ b/apps/emqx_authn/src/emqx_authn.app.src
@@ -1,7 +1,7 @@
 %% -*- mode: erlang -*-
 {application, emqx_authn, [
     {description, "EMQX Authentication"},
-    {vsn, "0.1.1"},
+    {vsn, "0.1.2"},
     {modules, []},
     {registered, [emqx_authn_sup, emqx_authn_registry]},
     {applications, [kernel, stdlib, emqx_resource, ehttpc, epgsql, mysql, jose]},
diff --git a/apps/emqx_authn/src/emqx_authn.appup.src b/apps/emqx_authn/src/emqx_authn.appup.src
index 9dcf55950..04bf1f428 100644
--- a/apps/emqx_authn/src/emqx_authn.appup.src
+++ b/apps/emqx_authn/src/emqx_authn.appup.src
@@ -1,13 +1,5 @@
 %% -*- mode: erlang -*-
 %% Unless you know what you are doing, DO NOT edit manually!!
 {VSN,
-  [{"0.1.0",
-    [{load_module,emqx_authn_http,brutal_purge,soft_purge,[]},
-     {load_module,emqx_authn_utils,brutal_purge,soft_purge,[]},
-     {load_module,emqx_authn_redis,brutal_purge,soft_purge,[]}]},
-   {<<".*">>,[]}],
-  [{"0.1.0",
-    [{load_module,emqx_authn_http,brutal_purge,soft_purge,[]},
-     {load_module,emqx_authn_utils,brutal_purge,soft_purge,[]},
-     {load_module,emqx_authn_redis,brutal_purge,soft_purge,[]}]},
-   {<<".*">>,[]}]}.
+  [{<<".*">>,[]}],
+  [{<<".*">>,[]}]}.
diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
index 6b62cec34..9f7e5f0a8 100644
--- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
+++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
@@ -432,13 +432,13 @@ verify_claims(Claims, VerifyClaims0) ->
     Now = os:system_time(seconds),
     VerifyClaims =
         [
-            {<<"exp">>, required, fun(ExpireTime) ->
+            {<<"exp">>, fun(ExpireTime) ->
                 is_integer(ExpireTime) andalso Now < ExpireTime
             end},
-            {<<"iat">>, optional, fun(IssueAt) ->
+            {<<"iat">>, fun(IssueAt) ->
                 is_integer(IssueAt) andalso IssueAt =< Now
             end},
-            {<<"nbf">>, optional, fun(NotBefore) ->
+            {<<"nbf">>, fun(NotBefore) ->
                 is_integer(NotBefore) andalso NotBefore =< Now
             end}
         ] ++ VerifyClaims0,
@@ -468,13 +468,11 @@ try_convert_to_int(Claims, []) ->
 
 do_verify_claims(_Claims, []) ->
     ok;
-do_verify_claims(Claims, [{Name, Required, Fun} | More]) when is_function(Fun) ->
-    case {Required, maps:take(Name, Claims)} of
-        {optional, error} ->
+do_verify_claims(Claims, [{Name, Fun} | More]) when is_function(Fun) ->
+    case maps:take(Name, Claims) of
+        error ->
             do_verify_claims(Claims, More);
-        {required, error} ->
-            {error, {missing_claim, Name}};
-        {_, {Value, NClaims}} ->
+        {Value, NClaims} ->
             case Fun(Value) of
                 true ->
                     do_verify_claims(NClaims, More);
diff --git a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
index e5d56aa1f..db62775cd 100644
--- a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
@@ -399,15 +399,15 @@ t_verify_claims(_) ->
     },
     ?assertMatch({ok, #{is_superuser := false}}, emqx_authn_jwt:authenticate(Credential3, State1)),
 
-    %% No exp
+    %% No exp treated as unexpired
     Payload4 = #{<<"username">> => <<"myuser">>, <<"foo">> => <<"myuser">>},
     JWS4 = generate_jws('hmac-based', Payload4, Secret),
     Credential4 = #{
         username => <<"myuser">>,
         password => JWS4
     },
-    ?assertEqual(
-        {error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential4, State1)
+    ?assertMatch(
+        {ok, #{is_superuser := false}}, emqx_authn_jwt:authenticate(Credential4, State1)
     ).
 
 t_jwt_not_allow_empty_claim_name(_) ->