diff --git a/src/planet_auth_utils/commands/cli/jwt_cmd.py b/src/planet_auth_utils/commands/cli/jwt_cmd.py
index 28141ec..ed027d5 100644
--- a/src/planet_auth_utils/commands/cli/jwt_cmd.py
+++ b/src/planet_auth_utils/commands/cli/jwt_cmd.py
@@ -50,19 +50,26 @@ def __init__(self, data):
         self._data = data
 
     def __json_pretty_dumps__(self):
-        def _human_timestamp_iso(d):
+        def _human_readable_jwt_claim(d):
             for key, value in list(d.items()):
                 if key in ["iat", "exp", "nbf"] and isinstance(value, int):
+                    # UNIX Timestamps in ISO format, with annotations.
                     fmt_time = time.strftime("%Y-%m-%dT%H:%M:%S%z", time.localtime(value))
-                    if (key == "exp") and (d[key] < time.time()):
+                    now = time.time()
+                    if (key == "exp") and (d[key] < now):
                         fmt_time += " (Expired)"
+                    if (key == "nbf") and (d[key] > now):
+                        fmt_time += " (Future)"
                     d[key] = fmt_time
+                elif key in ["api_key"]:
+                    # Redact sensitive values
+                    d[key] = "REDACTED"
                 elif isinstance(value, dict):
-                    _human_timestamp_iso(value)
+                    _human_readable_jwt_claim(value)
             return d
 
         json_dumps = self._data.copy()
-        _human_timestamp_iso(json_dumps)
+        _human_readable_jwt_claim(json_dumps)
         return json_dumps