diff --git a/config.toml b/config.toml
index d965c9e..c7cbbe6 100644
--- a/config.toml
+++ b/config.toml
@@ -8,7 +8,7 @@ database = "mysql://root:root@localhost:3366/void_cat"
 storage_dir = "./data"
 
 # Maximum support filesize for uploading
-max_upload_bytes = 104857600
+max_upload_bytes = 5e+9
 
 # Public facing url
 public_url = "http://localhost:8000"
diff --git a/src/auth/nip98.rs b/src/auth/nip98.rs
index f50829e..837a41e 100644
--- a/src/auth/nip98.rs
+++ b/src/auth/nip98.rs
@@ -1,6 +1,3 @@
-use std::ops::Sub;
-use std::time::Duration;
-
 use base64::Engine;
 use base64::prelude::BASE64_STANDARD;
 use log::info;
@@ -42,9 +39,6 @@ impl<'r> FromRequest<'r> for Nip98Auth {
                         "Created timestamp is in the future",
                     ));
                 }
-                if event.created_at < Timestamp::now().sub(Duration::from_secs(60)) {
-                    return Outcome::Error((Status::new(401), "Created timestamp is too old"));
-                }
 
                 // check url tag
                 if let Some(url) = event.tags.iter().find_map(|t| {
diff --git a/src/routes/nip96.rs b/src/routes/nip96.rs
index ed756af..5a5d894 100644
--- a/src/routes/nip96.rs
+++ b/src/routes/nip96.rs
@@ -1,8 +1,12 @@
 use std::collections::HashMap;
 use std::fs;
+use std::ops::Sub;
+use std::time::Duration;
 
 use log::error;
+use nostr::Timestamp;
 use rocket::{FromForm, Responder, Route, routes, State};
+use rocket::data::ToByteUnit;
 use rocket::form::Form;
 use rocket::fs::TempFile;
 use rocket::serde::json::Json;
@@ -123,6 +127,7 @@ impl Nip96UploadResult {
             ],
             vec!["x".to_string(), hex_id],
             vec!["m".to_string(), upload.mime_type.clone()],
+            vec!["size".to_string(), upload.size.to_string()],
         ];
         if let Some(bh) = &upload.blur_hash {
             tags.push(vec!["blurhash".to_string(), bh.clone()]);
@@ -231,7 +236,14 @@ async fn upload(
     if form.alt.is_some() {
         return Nip96Response::error("\"alt\" is not supported");
     }
-    
+
+    // account for upload speeds as slow as 1MB/s (8 Mbps)
+    let mbs = form.size / 1.megabytes().as_u64() as usize;
+    let max_time = 60.max(mbs) as u64;
+    if auth.event.created_at < Timestamp::now().sub(Duration::from_secs(max_time)) {
+        return Nip96Response::error("Auth event timestamp out of range");
+    }
+
     // check whitelist
     if let Some(wl) = &settings.whitelist {
         if !wl.contains(&auth.event.pubkey.to_hex()) {