Skip to main content

learn.howToCalculate

learn.whatIsHeading

The JWT Decoder & Expiry Calculator parses a JSON Web Token (RFC 7519), decodes its base64url-encoded header and payload, and analyzes claims including expiration time (exp), issued-at (iat), not-before (nbf), subject (sub), issuer (iss), and audience (aud). JWTs are the standard token format for stateless authentication in modern web APIs, used by OAuth2/OIDC providers (Auth0, Okta, AWS Cognito, Clerk, Firebase) and most session systems.

Wzór

JWT = base64url(header) + "." + base64url(payload) + "." + base64url(signature); Expiry valid if exp > Math.floor(Date.now()/1000)
header
Header (JSON) — Algorithm (alg) and token type (typ)
payload
Payload (JSON) — Claims about subject — exp, iat, sub, iss, custom claims

Przewodnik krok po kroku

  1. 1Paste the full JWT token into the input field
  2. 2Calculator splits the token on periods into 3 parts: header.payload.signature
  3. 3Each part is base64url-decoded (URL-safe base64 variant with - / _ instead of + / and no padding)
  4. 4Header and payload are parsed as JSON
  5. 5Calculator extracts standard claims: exp (expiration), iat (issued at), nbf (not before), sub, iss, aud
  6. 6Status checked: expired if exp < current time; expiring-soon if < 7 days; not-yet-valid if nbf > current; valid otherwise
  7. 7Signature is shown but NOT verified — verification requires the issuer's public key or shared secret

Rozwiązane przykłady

Wejście
Standard JWT with exp claim set to future date
Wynik
Valid, algorithm HS256, expires in X days
Wejście
Expired token (exp in past)
Wynik
EXPIRED status, days since expiry shown
Wejście
Malformed token (not 3 parts)
Wynik
Error — Invalid JWT format

Częste błędy do unikania

  • Confusing decode with verify — this tool only decodes; signature verification requires the secret/public key
  • Trusting unverified JWT contents — never use decoded payload in security decisions without verifying signature first
  • Storing JWTs in localStorage with sensitive data — vulnerable to XSS; use httpOnly cookies for production
  • Forgetting to handle clock skew — allow 30-60 seconds tolerance on exp/nbf comparisons between servers

Często zadawane pytania

Is JWT decoding the same as verifying?

No. Decoding extracts the contents anyone can read. Verification cryptographically checks the signature using the secret (HMAC) or public key (RSA/ECDSA). Always verify before trusting token contents.

Where should I store JWTs?

For browser apps: httpOnly secure cookies (not localStorage — XSS vulnerable). For mobile: secure keychain/keystore. For server-to-server: environment variables or secret managers.

How long should JWT expiration be?

Short-lived access tokens (15-60 minutes) paired with longer refresh tokens (days/weeks). Avoid tokens that don't expire — revocation becomes nearly impossible.

Gotowy do obliczeń? Wypróbuj darmowy kalkulator JWT Decoder & Expiry

Spróbuj sam →

Ustawienia

PrywatnośćRegulaminO nas© 2026 PrimeCalcPro