diff --git a/onekey_client/client.py b/onekey_client/client.py
index 7e0d8a9..cb95b1d 100644
--- a/onekey_client/client.py
+++ b/onekey_client/client.py
@@ -1,7 +1,7 @@
 import functools
 import gc
 import secrets
-import time
+import ssl
 from importlib import resources
 from importlib.metadata import version
 from pathlib import Path
@@ -66,18 +66,34 @@ def _setup_httpx_client(
         ca_bundle: Path | None = None,
         disable_tls_verify: bool | None = False,
     ):
-        headers = {"User-Agent": f"{APP_NAME}/{APP_VERSION}"}
-        if disable_tls_verify:
-            return httpx.Client(base_url=api_url, headers=headers, verify=False)  # noqa: S501 (TLS certificate validation disabled)
+        return httpx.Client(
+            base_url=api_url,
+            headers={
+                "User-Agent": f"{APP_NAME}/{APP_VERSION}",
+            },
+            verify=self._create_ssl_context(
+                ca_bundle=ca_bundle, disable_tls_verify=disable_tls_verify
+            ),
+        )
 
-        if ca_bundle is not None:
+    def _create_ssl_context(
+        self,
+        ca_bundle: Path | None,
+        disable_tls_verify: bool | None,
+    ) -> ssl.SSLContext:
+        context = ssl.create_default_context()
+        if disable_tls_verify:
+            context.check_hostname = False
+            context.verify_mode = ssl.CERT_NONE
+        elif ca_bundle is not None:
             ca = ca_bundle.expanduser()
             if not ca.exists():
                 raise errors.InvalidCABundle
-
-            return httpx.Client(base_url=api_url, headers=headers, verify=str(ca))
-        with resources.path(keys, "ca.pem") as ca:
-            return httpx.Client(base_url=api_url, headers=headers, verify=str(ca))
+            context.load_verify_locations(cafile=ca)
+        else:
+            with resources.path(keys, "ca.pem") as ca:
+                context.load_verify_locations(cafile=ca)
+        return context
 
     def _load_key(self, key_name: str, path: Path | None = None):
         if path is not None:
@@ -266,7 +282,7 @@ def _verify_token(
         claims_options=claims_options,
         claims_params={"nonce": nonce},
     )
-    decoded_token.validate(now=time.time())
+    decoded_token.validate(leeway=300)
     return decoded_token
 
 
diff --git a/pyproject.toml b/pyproject.toml
index 5f8d936..9d62637 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "onekey_client"
-version = "2.6.0"
+version = "2.7.0"
 description = "ONEKEY API client"
 authors = [{ name = "ONEKEY", email = "support@onekey.com" }]
 requires-python = ">=3.10"