diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_step_details.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_step_details.py
index dac4e4690..9fd1b2961 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_step_details.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/spiff_step_details.py
@@ -1,5 +1,6 @@
 """Spiff_step_details."""
 from dataclasses import dataclass
+from typing import Union
 
 from sqlalchemy import ForeignKey
 from sqlalchemy import UniqueConstraint
@@ -32,4 +33,8 @@ class SpiffStepDetailsModel(SpiffworkflowBaseDBModel):
     bpmn_task_identifier: str = db.Column(db.String(255), nullable=False)
 
     start_in_seconds: float = db.Column(db.DECIMAL(17, 6), nullable=False)
-    end_in_seconds: float | None = db.Column(db.DECIMAL(17, 6))
+
+    # to fix mypy in 3.9 - not sure why syntax like:
+    #   float | None
+    # works in other dataclass db models
+    end_in_seconds: Union[float, None] = db.Column(db.DECIMAL(17, 6))
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index 04b2704ae..7b8d6e701 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -165,7 +165,7 @@ class AuthenticationService:
 
         iss = decoded_token["iss"]
         aud = decoded_token["aud"]
-        azp = decoded_token['azp'] if "azp" in decoded_token else None
+        azp = decoded_token["azp"] if "azp" in decoded_token else None
         iat = decoded_token["iat"]
         if iss != cls.server_url():
             valid = False
@@ -179,6 +179,7 @@ class AuthenticationService:
             "account",
         ):
             valid = False
+        # make sure issued at time is not in the future
         elif now + iat_clock_skew_leeway < iat:
             valid = False