JWT Decoder
Paste any JWT to decode its header and payload. Timestamp claims (iat, exp, nbf) are highlighted and decoded to human-readable dates. Nothing leaves your browser.
Understanding JWT Timestamp Claims
A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519. It is widely used for authentication and authorization in APIs, single-page apps, and microservices.
JWT timestamp claims are always Unix timestamps in seconds (not milliseconds). A common bug is using Date.now() (which returns milliseconds) to set an exp claim — this results in a token that appears to expire billions of years in the future, bypassing expiry checks. Always use Math.floor(Date.now() / 1000).
JWT Timestamp Claims Reference
| Claim | Full Name | Description |
|---|---|---|
| iat | Issued At | Unix timestamp when the token was created |
| exp | Expiration Time | Unix timestamp after which the token must be rejected |
| nbf | Not Before | Unix timestamp before which the token must be rejected |
| sub | Subject | Usually a user ID — not a timestamp, but often a UUID |
| jti | JWT ID | Unique identifier for the token — used to prevent replay attacks |
Common JWT Algorithms
HS256
Symmetric
HMAC-SHA256. Fast, single shared secret. Good for internal services.
RS256
Asymmetric
RSA-SHA256. Private key signs, public key verifies. Good for multi-service auth.
ES256
Asymmetric
ECDSA-P256-SHA256. Smaller keys than RSA, equally secure.
Frequently Asked Questions
How do I check if a JWT is expired?▼
Compare the exp claim to the current Unix timestamp. If Math.floor(Date.now() / 1000) > token.exp, the token is expired. Paste your JWT above and this tool shows the expiry status automatically.
Can I verify a JWT signature with this tool?▼
No — signature verification requires the secret key or public key. This tool only decodes the header and payload (which are Base64URL-encoded, not encrypted). Never trust a JWT without verifying its signature in your backend.
Why does my JWT exp claim show year 2554?▼
You likely set exp using Date.now() (milliseconds) instead of Math.floor(Date.now() / 1000) (seconds). JWT timestamps are in seconds. Multiply 1700000000000 ms by seconds gives a year far in the future.
What is the difference between a JWT and a session cookie?▼
A session cookie stores a random ID; the server looks up session data on each request. A JWT is self-contained — the payload carries the data and is verified by signature. JWTs are stateless (no server-side storage needed) but cannot be individually revoked without extra infrastructure.
How do I refresh a JWT before it expires?▼
Issue a long-lived refresh token alongside the short-lived access token. When the access token is within a threshold of expiry (e.g. 60 seconds), use the refresh token to obtain a new access token without re-authentication.