📊JSON / Data📝Text / Strings💻HTML / Code🔄Converters🔐Tokens / Security⚙️Generators👁️Viewers / Lookup
🔐JWT Decoder⏱️JWT Expiry Checker📋JWT Header Viewer#️⃣Hash Generator🔑HMAC Generator🛡️Password Strength Checker

JWT Expiry Checker

Check JWT expiration instantly. Validate token freshness and exp claims in seconds.

How to Check JWT Expiry

  • Paste your JWT token into the input field
  • Click "Check Expiry" to analyze the token's expiration
  • View the expiration timestamp and remaining time
  • See if the token is currently valid or expired
  • Understand the exp claim and UTC conversion
  • Get warnings for tokens expiring soon

Understanding JWT Expiration

⏱️ The exp Claim

The "exp" (expiration time) claim is a NumericDate value that specifies when a JWT becomes invalid. It's represented as seconds since Unix epoch (January 1, 1970).

🔍 How It Works

The server compares the current time with the exp value. If the current time is after exp, the token is rejected. This mechanism ensures tokens have a limited lifespan.

Explore Other Token Tools

🔐JWT Decoder

Use Tool →

📋JWT Header Viewer

Use Tool →

#️⃣Hash Generator

Use Tool →

🔑HMAC Generator

Use Tool →

🛡️Password Strength Checker

Use Tool →

Frequently Asked Questions

What happens when a JWT expires?

When a JWT expires, the server will reject it and return an authentication error. The user typically needs to refresh the token or log in again. This security feature prevents stolen tokens from being used indefinitely.

How do I check JWT expiration time?

Use our JWT Expiry Checker tool - paste your token and it will decode the "exp" claim, display the expiration time in human-readable format, and tell you whether the token is still valid or has expired.

What is a good JWT expiration time?

Access tokens should be short-lived (5-15 minutes) to minimize security risks. Refresh tokens can last longer (days to weeks). The exact time depends on your security requirements and how often users interact with your application.

Can I extend JWT expiration time?

You cannot extend an existing JWT's expiration time because changing it would invalidate the signature. Instead, use refresh tokens to obtain new access tokens before they expire, or re-authenticate the user.

What is the nbf claim in JWT?

The "nbf" (not before) claim specifies the time before which the JWT must not be accepted. It's the opposite of "exp" - the token is not valid until the "nbf" time is reached. This is useful for scheduled or delayed token activation.

Should I always include exp claim?

Yes, it's strongly recommended. JWT without expiration can be used indefinitely if compromised. Setting an expiration time is a critical security practice that limits the window of vulnerability.

How are refresh tokens different from access tokens?

Access tokens have short lifespans and are used to access protected resources. Refresh tokens have longer lifespans and are used only to obtain new access tokens. This two-token system balances security with user convenience.

What timezone is JWT expiration in?

JWT expiration times are always in UTC (Unix timestamp). They represent seconds since January 1, 1970 00:00:00 UTC. This eliminates timezone confusion and ensures consistent validation across different servers and locations.

Can JWT expiration be validated client-side?

Yes, you can decode the JWT and check the "exp" claim client-side to provide better UX (like refreshing tokens proactively). However, always validate expiration server-side as well, since client-side checks can be bypassed.

What happens if exp claim is missing?

If the "exp" claim is missing, the JWT technically doesn't expire. However, most secure implementations reject tokens without expiration as a security best practice. Always include an exp claim in production JWTs.

JWT Expiration Tutorial

Understanding JWT token expiration is crucial for building secure authentication systems. The expiration mechanism provides a balance between security and user experience.

Token Lifecycle

  1. User authenticates and receives JWT with exp claim
  2. Client stores token and includes in API requests
  3. Server validates signature and checks exp claim
  4. If current_time < exp: token accepted
  5. If current_time ≥ exp: token rejected (401 error)
  6. Client refreshes token or prompts re-authentication

Best Practices

  • • Use short-lived access tokens
  • • Implement refresh tokens
  • • Always validate server-side
  • • Handle expiration gracefully
  • • Log expiration events

Common Timeframes

  • • Access token: 5-15 min
  • • Refresh token: 7-30 days
  • • Remember me: 30-90 days
  • • API keys: 90-365 days
  • • Single-use: 1-5 minutes

Security Risks

  • • Too long: wider attack window
  • • No expiration: indefinite risk
  • • No refresh: poor UX
  • • Client-only check: bypassable
  • • Clock skew: validation issues

Expiration Best Practices

✅ DO

  • ✓ Set appropriate expiration times
  • ✓ Use refresh token pattern
  • ✓ Validate expiration server-side
  • ✓ Handle expired tokens gracefully
  • ✓ Consider clock skew tolerance
  • ✓ Log token lifecycle events
  • ✓ Refresh tokens proactively

❌ DON'T

  • ✗ Don't omit exp claim
  • ✗ Don't use very long expiration
  • ✗ Don't validate only client-side
  • ✗ Don't ignore exp in validation
  • ✗ Don't expose token expiry details publicly
  • ✗ Don't modify exp after issuance
  • ✗ Don't forget to handle 401 errors

Learning Resources

RFC 7519 - JWT exp Claim— Official specification for the expiration claim

Auth0 - Refresh Tokens— Guide to implementing refresh token pattern

MDN - 401 Unauthorized— Understanding authentication errors

JWT.io - Introduction— Comprehensive JWT introduction and tools

Contact Us

Questions about JWT expiration or our tools? We're here to help!

Get In Touch

Send us a message for quick assistance with JWT tokens.

Contact Us

We respond to all inquiries within 24-48 hours.