Check JWT Expiration
JWT Expiry Checker is a developer tool that tells you whether a JSON Web Token is expired. Paste a JWT below to see the exp, iat, and nbf claims, time remaining, and a live countdown.
Time-Related Claims
| Claim | Value |
|---|
About JWT Expiry Checker
JWT Expiry Checker is a free browser-based tool that decodes a JSON Web Token and checks whether it has expired. It reads the exp (Expiration Time), iat (Issued At), and nbf (Not Before) claims from the token payload and compares them against the current time. It does not verify the token signature — it only inspects the time-related claims.
How JWT Expiration Works
A JWT is three Base64URL-encoded segments separated by dots: header.payload.signature. The payload contains claims — key-value pairs with information about the token. Three claims control timing:
- exp (Expiration Time) — Unix timestamp after which the token must be rejected. Required for most use cases.
- iat (Issued At) — Unix timestamp recording when the token was created. Optional but widely used.
- nbf (Not Before) — Unix timestamp before which the token must not be accepted. Optional.
All timestamps are Unix epoch seconds — the number of seconds since January 1, 1970 00:00:00 UTC. To check expiration: if current_time > exp, the token is expired.
Worked Example
Given this JWT payload (decoded):
{
"sub": "user_42",
"iat": 1704063600,
"exp": 1704067200,
"nbf": 1704063600
}
- iat = 1704063600 → 2024-01-01 00:00:00 UTC (issued at midnight)
- exp = 1704067200 → 2024-01-01 01:00:00 UTC (expires 1 hour later)
- nbf = 1704063600 → 2024-01-01 00:00:00 UTC (valid from issuance)
- Lifetime = 1704067200 − 1704063600 = 3,600 seconds = 1 hour
If the current time is 2024-01-01 00:30:00 UTC (1704065400), the token is valid — 30 minutes remain. If the current time is 2024-01-01 02:00:00 UTC (1704070800), the token expired 1 hour ago.
Common JWT Expiration Periods
| Token Type | Typical exp | Why |
|---|---|---|
| Access token | 5–60 minutes | Short-lived to limit damage if leaked |
| Refresh token | 7–30 days | Used to obtain new access tokens |
| OIDC ID token | 1 hour | Standard from most identity providers |
| API key (JWT) | 1–12 months | Long-lived for server-to-server calls |
Privacy and Limitations
All decoding runs in your browser. Your JWT is never sent to any server, stored, or logged. This tool does not verify the token signature — it only checks expiration claims. For signature verification, use a library like jsonwebtoken (Node.js) or PyJWT (Python) with the appropriate secret or public key.
JWT Expiry Checker FAQ
How do I check if a JWT token is expired?
Decode the JWT payload (the middle Base64URL segment) and read the exp claim. The exp value is a Unix timestamp (seconds since 1970-01-01 UTC). If the current time is greater than exp, the token is expired. This tool does that automatically — paste the token and the result appears instantly.
What is the exp claim in a JWT?
The exp (Expiration Time) claim is a registered claim defined in RFC 7519. It contains a NumericDate value — a Unix timestamp in seconds — after which the token must not be accepted. For example, exp: 1704067200 means the token expires on 2024-01-01 01:00:00 UTC.
What happens if a JWT has no exp claim?
A JWT without an exp claim never expires by itself. The token remains valid indefinitely unless the server revokes it through a blocklist, token rotation, or session invalidation. Most security guidelines recommend always setting an expiration.
What is the difference between exp, iat, and nbf?
exp (Expiration Time) is when the token expires and should be rejected. iat (Issued At) records when the token was created. nbf (Not Before) specifies the earliest time the token should be accepted. All three are Unix timestamps in seconds.
Can I check JWT expiration without a secret key?
Yes. The exp claim is in the payload, which is Base64URL-encoded but not encrypted. You can decode and read it without the signing key. The secret key is only needed to verify the signature — not to read the claims.
What are common JWT expiration times?
Access tokens typically expire in 5 to 60 minutes. Refresh tokens last 7 to 30 days. ID tokens from OIDC providers usually expire in 1 hour. The right expiration depends on your security requirements — shorter is more secure, longer is more convenient.
Is it safe to paste my JWT into this tool?
Yes. This tool runs entirely in your browser using JavaScript. Your JWT is never sent to any server, stored, or logged. Refreshing the page clears all data. For production tokens, you can also decode them with command-line tools like jq.
How do I decode a JWT manually?
A JWT has three parts separated by dots: header.payload.signature. Split on the dots, take the middle part (payload), Base64URL-decode it, and parse the resulting JSON. In a terminal: echo 'PAYLOAD' | base64 -d | jq. The exp, iat, and nbf fields are Unix timestamps.
Related Tools
View all toolsJWT Decoder
Decode JWT tokens and display header and payload
Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-512 hashes
SHA-256 Generator
Generate SHA-256 hashes from text
Base64 Encoder/Decoder
Encode and decode Base64 strings
JSON Formatter
Format and beautify JSON with proper indentation
Unix Timestamp Converter
Convert Unix timestamps to human-readable dates