Skip to main content

Cara Menghitung JWT Decoder & Expiry

learn.whatIsHeading

The JWT Decoder & Expiry Calculator parses a JSON Web Token (RFC 7519), decodes its base64url-encoded header and payload, and analyzes claims including expiration time (exp), issued-at (iat), not-before (nbf), subject (sub), issuer (iss), and audience (aud). JWTs are the standard token format for stateless authentication in modern web APIs, used by OAuth2/OIDC providers (Auth0, Okta, AWS Cognito, Clerk, Firebase) and most session systems.

Rumus

JWT = base64url(header) + "." + base64url(payload) + "." + base64url(signature); Expiry valid if exp > Math.floor(Date.now()/1000)
header
Header (JSON) — Algorithm (alg) and token type (typ)
payload
Payload (JSON) — Claims about subject — exp, iat, sub, iss, custom claims

Panduan Langkah demi Langkah

  1. 1Paste the full JWT token into the input field
  2. 2Calculator splits the token on periods into 3 parts: header.payload.signature
  3. 3Each part is base64url-decoded (URL-safe base64 variant with - / _ instead of + / and no padding)
  4. 4Header and payload are parsed as JSON
  5. 5Calculator extracts standard claims: exp (expiration), iat (issued at), nbf (not before), sub, iss, aud
  6. 6Status checked: expired if exp < current time; expiring-soon if < 7 days; not-yet-valid if nbf > current; valid otherwise
  7. 7Signature is shown but NOT verified — verification requires the issuer's public key or shared secret

Contoh Terpecahkan

Masukan
Standard JWT with exp claim set to future date
Hasil
Valid, algorithm HS256, expires in X days
Masukan
Expired token (exp in past)
Hasil
EXPIRED status, days since expiry shown
Masukan
Malformed token (not 3 parts)
Hasil
Error — Invalid JWT format

Kesalahan Umum yang Harus Dihindari

  • Confusing decode with verify — this tool only decodes; signature verification requires the secret/public key
  • Trusting unverified JWT contents — never use decoded payload in security decisions without verifying signature first
  • Storing JWTs in localStorage with sensitive data — vulnerable to XSS; use httpOnly cookies for production
  • Forgetting to handle clock skew — allow 30-60 seconds tolerance on exp/nbf comparisons between servers

Pertanyaan yang sering diajukan

Is JWT decoding the same as verifying?

No. Decoding extracts the contents anyone can read. Verification cryptographically checks the signature using the secret (HMAC) or public key (RSA/ECDSA). Always verify before trusting token contents.

Where should I store JWTs?

For browser apps: httpOnly secure cookies (not localStorage — XSS vulnerable). For mobile: secure keychain/keystore. For server-to-server: environment variables or secret managers.

How long should JWT expiration be?

Short-lived access tokens (15-60 minutes) paired with longer refresh tokens (days/weeks). Avoid tokens that don't expire — revocation becomes nearly impossible.

Siap menghitung? Coba Kalkulator JWT Decoder & Expiry gratis

Cobalah sendiri →

Pengaturan

PrivasiKetentuanTentang© 2026 PrimeCalcPro