diff --git a/web/app.py b/web/app.py
index e6f0d6d..35244d7 100755
--- a/web/app.py
+++ b/web/app.py
@@ -116,7 +116,7 @@ def post(self):
         if not verify_user(username, password):
             return {"status": 401, "msg": "Invalid credentials"}, 401
         token = jwt.encode(
-            {"sub": username, "exp": datetime.datetime.utcnow() + datetime.timedelta(hours=1)},
+            {"sub": username, "exp": datetime.datetime.now(timezone.utc) + datetime.timedelta(hours=1)},
             SECRET,
             algorithm="HS256",
         )
diff --git a/web/tests/test_app.py b/web/tests/test_app.py
index d9fe53e..91f3c4d 100644
--- a/web/tests/test_app.py
+++ b/web/tests/test_app.py
@@ -51,7 +51,7 @@ def make_empty_cursor():
 
 def make_valid_token(username="alice", secret=TEST_SECRET):
     return jwt.encode(
-        {"sub": username, "exp": datetime.datetime.utcnow() + datetime.timedelta(hours=1)},
+        {"sub": username, "exp": datetime.datetime.now(timezone.utc) + datetime.timedelta(hours=1)},
         secret,
         algorithm="HS256",
     )
@@ -59,7 +59,7 @@ def make_valid_token(username="alice", secret=TEST_SECRET):
 
 def make_expired_token(username="alice"):
     return jwt.encode(
-        {"sub": username, "exp": datetime.datetime.utcnow() - datetime.timedelta(seconds=1)},
+        {"sub": username, "exp": datetime.datetime.now(timezone.utc) - datetime.timedelta(seconds=1)},
         TEST_SECRET,
         algorithm="HS256",
     )