diff --git a/src/JWT.php b/src/JWT.php
index 37a9e0e6..5386b601 100644
--- a/src/JWT.php
+++ b/src/JWT.php
@@ -127,6 +127,16 @@ public static function decode(
         if (!$payload instanceof stdClass) {
             throw new UnexpectedValueException('Payload must be a JSON object');
         }
+        if (isset($payload->iat) && !\is_numeric($payload->iat)) {
+            throw new UnexpectedValueException('Payload iat must be a number');
+        }
+        if (isset($payload->nbf) && !\is_numeric($payload->nbf)) {
+            throw new UnexpectedValueException('Payload nbf must be a number');
+        }
+        if (isset($payload->exp) && !\is_numeric($payload->exp)) {
+            throw new UnexpectedValueException('Payload exp must be a number');
+        }
+
         $sig = static::urlsafeB64Decode($cryptob64);
         if (empty($header->alg)) {
             throw new UnexpectedValueException('Empty algorithm');
diff --git a/tests/JWTTest.php b/tests/JWTTest.php
index d09d43e3..805b867a 100644
--- a/tests/JWTTest.php
+++ b/tests/JWTTest.php
@@ -546,4 +546,31 @@ public function testAdditionalHeaderOverrides()
         $this->assertEquals('my_key_id', $headers->kid, 'key param not overridden');
         $this->assertEquals('HS256', $headers->alg, 'alg param not overridden');
     }
+
+    public function testDecodeExpectsIntegerIat()
+    {
+        $this->expectException(UnexpectedValueException::class);
+        $this->expectExceptionMessage('Payload iat must be a number');
+
+        $payload = JWT::encode(['iat' => 'not-an-int'], 'secret', 'HS256');
+        JWT::decode($payload, new Key('secret', 'HS256'));
+    }
+
+    public function testDecodeExpectsIntegerNbf()
+    {
+        $this->expectException(UnexpectedValueException::class);
+        $this->expectExceptionMessage('Payload nbf must be a number');
+
+        $payload = JWT::encode(['nbf' => 'not-an-int'], 'secret', 'HS256');
+        JWT::decode($payload, new Key('secret', 'HS256'));
+    }
+
+    public function testDecodeExpectsIntegerExp()
+    {
+        $this->expectException(UnexpectedValueException::class);
+        $this->expectExceptionMessage('Payload exp must be a number');
+
+        $payload = JWT::encode(['exp' => 'not-an-int'], 'secret', 'HS256');
+        JWT::decode($payload, new Key('secret', 'HS256'));
+    }
 }