diff --git a/firebase_admin/__init__.py b/firebase_admin/__init__.py
index 7e3b2eab0..fb38aa516 100644
--- a/firebase_admin/__init__.py
+++ b/firebase_admin/__init__.py
@@ -28,7 +28,7 @@
 
 _DEFAULT_APP_NAME = '[DEFAULT]'
 _FIREBASE_CONFIG_ENV_VAR = 'FIREBASE_CONFIG'
-_CONFIG_VALID_KEYS = ['databaseAuthVariableOverride', 'databaseURL', 'httpTimeout', 'projectId',
+_CONFIG_VALID_KEYS = ['clockSkewInSeconds', 'databaseAuthVariableOverride', 'databaseURL', 'httpTimeout', 'projectId',
                       'storageBucket']
 
 def initialize_app(credential=None, options=None, name=_DEFAULT_APP_NAME):
@@ -48,9 +48,10 @@ def initialize_app(credential=None, options=None, name=_DEFAULT_APP_NAME):
       credential: A credential object used to initialize the SDK (optional). If none is provided,
           Google Application Default Credentials are used.
       options: A dictionary of configuration options (optional). Supported options include
-          ``databaseURL``, ``storageBucket``, ``projectId``, ``databaseAuthVariableOverride``,
-          ``serviceAccountId`` and ``httpTimeout``. If ``httpTimeout`` is not set, the SDK
-          uses a default timeout of 120 seconds.
+          ``clockSkewInSeconds``, ``databaseURL``, ``storageBucket``, ``projectId``,
+          ``databaseAuthVariableOverride``, ``serviceAccountId`` and ``httpTimeout``.
+          If ``httpTimeout`` is not set, the SDK uses a default timeout of 120 seconds.
+          If ``clockSkewInSeconds`` is not set, 0 is used when verifying a token.
       name: Name of the app (optional).
     Returns:
       App: A newly initialized instance of App.
diff --git a/firebase_admin/_token_gen.py b/firebase_admin/_token_gen.py
index 32c109d5d..e09686d47 100644
--- a/firebase_admin/_token_gen.py
+++ b/firebase_admin/_token_gen.py
@@ -55,6 +55,7 @@
                         'service-accounts/default/email')
 ALGORITHM_RS256 = 'RS256'
 ALGORITHM_NONE = 'none'
+DEFAULT_CLOCK_SKEW_IN_SECONDS = 0
 
 # Emulator fake account
 AUTH_EMULATOR_EMAIL = 'firebase-auth-emulator@example.com'
@@ -271,6 +272,7 @@ class TokenVerifier:
 
     def __init__(self, app):
         timeout = app.options.get('httpTimeout', _http_client.DEFAULT_TIMEOUT_SECONDS)
+        clock_skew_in_seconds = app.options.get('clockSkewInSeconds', DEFAULT_CLOCK_SKEW_IN_SECONDS)
         self.request = CertificateFetchRequest(timeout)
         self.id_token_verifier = _JWTVerifier(
             project_id=app.project_id, short_name='ID token',
@@ -278,6 +280,7 @@ def __init__(self, app):
             doc_url='https://firebase.google.com/docs/auth/admin/verify-id-tokens',
             cert_url=ID_TOKEN_CERT_URI,
             issuer=ID_TOKEN_ISSUER_PREFIX,
+            clock_skew_in_seconds=clock_skew_in_seconds,
             invalid_token_error=_auth_utils.InvalidIdTokenError,
             expired_token_error=ExpiredIdTokenError)
         self.cookie_verifier = _JWTVerifier(
@@ -312,6 +315,7 @@ def __init__(self, **kwargs):
             self.articled_short_name = 'a {0}'.format(self.short_name)
         self._invalid_token_error = kwargs.pop('invalid_token_error')
         self._expired_token_error = kwargs.pop('expired_token_error')
+        self._clock_skew_in_seconds = kwargs.pop('clock_skew_in_seconds',DEFAULT_CLOCK_SKEW_IN_SECONDS)
 
     def verify(self, token, request):
         """Verifies the signature and data for the provided JWT."""
@@ -393,7 +397,8 @@ def verify(self, token, request):
                     token,
                     request=request,
                     audience=self.project_id,
-                    certs_url=self.cert_url)
+                    certs_url=self.cert_url,
+                    clock_skew_in_seconds=self._clock_skew_in_seconds)
             verified_claims['uid'] = verified_claims['sub']
             return verified_claims
         except google.auth.exceptions.TransportError as error: