Skip to main content

Jak vypočítat JWT Decoder & Expiry

Co je JWT Decoder & Expiry?

The JWT Decoder & Expiry Calculator parses a JSON Web Token (RFC 7519), decodes its base64url-encoded header and payload, and analyzes claims including expiration time (exp), issued-at (iat), not-before (nbf), subject (sub), issuer (iss), and audience (aud). JWTs are the standard token format for stateless authentication in modern web APIs, used by OAuth2/OIDC providers (Auth0, Okta, AWS Cognito, Clerk, Firebase) and most session systems.

Vzorec

JWT = base64url(header) + "." + base64url(payload) + "." + base64url(signature); Expiry valid if exp > Math.floor(Date.now()/1000)
header
Header (JSON) — Algorithm (alg) and token type (typ)
payload
Payload (JSON) — Claims about subject — exp, iat, sub, iss, custom claims

Průvodce krok za krokem

  1. 1Paste the full JWT token into the input field
  2. 2Calculator splits the token on periods into 3 parts: header.payload.signature
  3. 3Each part is base64url-decoded (URL-safe base64 variant with - / _ instead of + / and no padding)
  4. 4Header and payload are parsed as JSON
  5. 5Calculator extracts standard claims: exp (expiration), iat (issued at), nbf (not before), sub, iss, aud
  6. 6Status checked: expired if exp < current time; expiring-soon if < 7 days; not-yet-valid if nbf > current; valid otherwise
  7. 7Signature is shown but NOT verified — verification requires the issuer's public key or shared secret

Worked Examples

Vstup
Standard JWT with exp claim set to future date
Výsledek
Valid, algorithm HS256, expires in X days
Vstup
Expired token (exp in past)
Výsledek
EXPIRED status, days since expiry shown
Vstup
Malformed token (not 3 parts)
Výsledek
Error — Invalid JWT format

Common Mistakes to Avoid

  • Confusing decode with verify — this tool only decodes; signature verification requires the secret/public key
  • Trusting unverified JWT contents — never use decoded payload in security decisions without verifying signature first
  • Storing JWTs in localStorage with sensitive data — vulnerable to XSS; use httpOnly cookies for production
  • Forgetting to handle clock skew — allow 30-60 seconds tolerance on exp/nbf comparisons between servers

Frequently Asked Questions

Is JWT decoding the same as verifying?

No. Decoding extracts the contents anyone can read. Verification cryptographically checks the signature using the secret (HMAC) or public key (RSA/ECDSA). Always verify before trusting token contents.

Where should I store JWTs?

For browser apps: httpOnly secure cookies (not localStorage — XSS vulnerable). For mobile: secure keychain/keystore. For server-to-server: environment variables or secret managers.

How long should JWT expiration be?

Short-lived access tokens (15-60 minutes) paired with longer refresh tokens (days/weeks). Avoid tokens that don't expire — revocation becomes nearly impossible.

Jste připraveni počítat? Vyzkoušejte bezplatnou kalkulačku JWT Decoder & Expiry

Zkuste to sami →

Nastavení

SoukromíPodmínkyO nás© 2026 PrimeCalcPro