diff --git a/act/artifactcache/mac.go b/act/artifactcache/mac.go
index 3e6ac246..862ef9db 100644
--- a/act/artifactcache/mac.go
+++ b/act/artifactcache/mac.go
@@ -8,34 +8,56 @@ import (
 	"crypto/sha256"
 	"errors"
 	"hash"
+	"strconv"
+	"time"
 
 	"github.com/julienschmidt/httprouter"
 )
 
 var (
-	ErrValidation   = errors.New("repo validation error")
-	cachePrefixPath = "repo:/run:/time:/mac:/"
+	ErrValidation   = errors.New("validation error")
+	cachePrefixPath = "repo:/run:/ts:/mac:/"
 )
 
 func (h *Handler) validateMac(params httprouter.Params) (string, error) {
+	ts := params.ByName("ts")
+
 	repo := params.ByName("repo")
 	run := params.ByName("run")
-	time := params.ByName("time")
 	messageMAC := params.ByName("mac")
 
-	mac := computeMac(h.secret, repo, run, time)
-	expectedMAC := mac.Sum(nil)
+	// TODO: allow configurable max age
+	if !validateAge(ts) {
+		return "", ErrValidation
+	}
 
+	expectedMAC := computeMac(h.secret, repo, run, ts).Sum(nil)
 	if hmac.Equal([]byte(messageMAC), expectedMAC) {
 		return repo, nil
 	}
 	return repo, ErrValidation
 }
 
-func computeMac(key, repo, run, time string) hash.Hash {
+func validateAge(ts string) bool {
+	tsInt, err := strconv.ParseInt(ts, 10, 64)
+	if err != nil {
+		return false
+	}
+	if tsInt > time.Now().Unix() {
+		return false
+	}
+	return true
+}
+
+func computeMac(key, repo, run, ts string) hash.Hash {
 	mac := hmac.New(sha256.New, []byte(key))
 	mac.Write([]byte(repo))
 	mac.Write([]byte(run))
-	mac.Write([]byte(time))
+	mac.Write([]byte(ts))
 	return mac
 }
+
+func ComputeMac(key, repo, run, ts string) string {
+	mac := computeMac(key, repo, run, ts)
+	return string(mac.Sum(nil))
+}