How to use the JWT Expiry Checker
Check JWT expiry in two steps:
1
Paste the JWT token
Paste any JWT into the token input area. The expiry status is evaluated instantly against the live clock shown in the toolbar.
2
Read the status and timeline
A green, red, or amber status card shows whether the token is valid, expired, or not yet active. The progress bar shows elapsed lifetime. The time claims table shows iat, nbf, and exp with their UTC strings and relative times.
When to use this tool
Use to instantly check the validity window of any JWT token:
- →Checking whether a JWT retrieved from browser storage or a cookie is still valid before making an authenticated API request
- →Diagnosing a 401 Unauthorized error by verifying that the token being sent has not expired
- →Determining exactly how long a token has been expired and when it was originally issued to understand the token lifecycle
- →Checking whether an nbf (Not Before) claim is causing a token to be rejected as not yet valid
- →Verifying that a freshly issued token has the correct expiry time before integrating a new authentication flow
- →Auditing the lifetime of tokens issued by a third-party identity provider to ensure they match your security policy
Frequently asked questions
Q:How does the tool determine if a JWT is expired?
The tool decodes the payload using Base64url and reads the exp (Expiration Time) claim, which is a Unix timestamp in seconds. It compares this value to the current time (Math.floor(Date.now() / 1000)) in real time — a new comparison is made every second. If exp is less than the current Unix timestamp, the token is marked as expired. If exp is greater than the current time, the token is valid. If no exp claim is present, the token is marked as having no expiry.
Q:What does the progress bar represent?
The progress bar shows what percentage of the token's total configured lifetime has elapsed, calculated as (now - iat) / (exp - iat) × 100. It fills from left to right over the token's lifetime: green when less than 80% has elapsed, amber between 80% and 100% to warn that the token is near expiry, and solid red once the token has expired. It requires both iat and exp claims to be present — if either is missing, the progress bar is not shown.
Q:What is the nbf (Not Before) claim and when would it fail?
The nbf (Not Before) claim is a Unix timestamp specifying the earliest time the token is valid. A token with nbf in the future is valid by signature but should not be accepted yet — it will be rejected by compliant JWT validators until the current time exceeds the nbf value. This is useful for pre-issuing tokens that become active at a scheduled time. The tool shows an amber 'Not Yet Valid' status when nbf is present and in the future, even if exp has not been reached.
Q:Why does the live countdown tick every second?
The component uses a JavaScript setInterval running every 1000 milliseconds to re-evaluate all time comparisons against the current Unix timestamp. This produces a real-time countdown that is accurate to the second without requiring any user interaction. The countdown is particularly useful for tokens that are about to expire in minutes — you can watch the remaining time decrease in real time while deciding whether to refresh the token.
Q:What happens if the JWT has no exp claim?
Tokens without an exp claim never expire and remain valid indefinitely (assuming the signature is valid). The tool shows an amber warning pill stating 'No exp claim — token never expires'. While tokens without expiry are technically valid, they represent a security risk because they cannot be invalidated by time alone — the only way to revoke them is to maintain a token blocklist or rotate the signing secret. The IETF recommends always including exp in JWTs used for authentication.
Q:How accurate is the expiry check relative to a server?
The expiry check uses your device's local clock (Date.now()), which may differ from the server's clock by a few seconds. Most JWT validators include a small 'clock skew' tolerance (typically 30–60 seconds) to account for this. If a token appears valid in this tool but is rejected by your server, the server's clock may be slightly ahead, or the server may have a stricter clock skew tolerance. Conversely, a token that appears expired here may still be accepted by a server with generous clock skew.