Skip to main content

Jinsi ya kukokotoa JWT Decoder & Expiry

JWT Decoder & Expiry ni nini?

The JWT Decoder & Expiry Calculator parses a JSON Web Token (RFC 7519), decodes its base64url-encoded header and payload, and analyzes claims including expiration time (exp), issued-at (iat), not-before (nbf), subject (sub), issuer (iss), and audience (aud). JWTs are the standard token format for stateless authentication in modern web APIs, used by OAuth2/OIDC providers (Auth0, Okta, AWS Cognito, Clerk, Firebase) and most session systems.

Fomula

JWT = base64url(header) + "." + base64url(payload) + "." + base64url(signature); Expiry valid if exp > Math.floor(Date.now()/1000)
header
Header (JSON) — Algorithm (alg) and token type (typ)
payload
Payload (JSON) — Claims about subject — exp, iat, sub, iss, custom claims

Mwongozo wa Hatua kwa Hatua

  1. 1Paste the full JWT token into the input field
  2. 2Calculator splits the token on periods into 3 parts: header.payload.signature
  3. 3Each part is base64url-decoded (URL-safe base64 variant with - / _ instead of + / and no padding)
  4. 4Header and payload are parsed as JSON
  5. 5Calculator extracts standard claims: exp (expiration), iat (issued at), nbf (not before), sub, iss, aud
  6. 6Status checked: expired if exp < current time; expiring-soon if < 7 days; not-yet-valid if nbf > current; valid otherwise
  7. 7Signature is shown but NOT verified — verification requires the issuer's public key or shared secret

Mifano Iliyotatuliwa

Ingizo
Standard JWT with exp claim set to future date
Matokeo
Valid, algorithm HS256, expires in X days
Ingizo
Expired token (exp in past)
Matokeo
EXPIRED status, days since expiry shown
Ingizo
Malformed token (not 3 parts)
Matokeo
Error — Invalid JWT format

Makosa ya Kawaida ya Kuepuka

  • Confusing decode with verify — this tool only decodes; signature verification requires the secret/public key
  • Trusting unverified JWT contents — never use decoded payload in security decisions without verifying signature first
  • Storing JWTs in localStorage with sensitive data — vulnerable to XSS; use httpOnly cookies for production
  • Forgetting to handle clock skew — allow 30-60 seconds tolerance on exp/nbf comparisons between servers

Maswali yanayoulizwa mara kwa mara

Is JWT decoding the same as verifying?

No. Decoding extracts the contents anyone can read. Verification cryptographically checks the signature using the secret (HMAC) or public key (RSA/ECDSA). Always verify before trusting token contents.

Where should I store JWTs?

For browser apps: httpOnly secure cookies (not localStorage — XSS vulnerable). For mobile: secure keychain/keystore. For server-to-server: environment variables or secret managers.

How long should JWT expiration be?

Short-lived access tokens (15-60 minutes) paired with longer refresh tokens (days/weeks). Avoid tokens that don't expire — revocation becomes nearly impossible.

Je, uko tayari kukokotoa? Jaribu Kikokotoo kisicholipishwa cha JWT Decoder & Expiry

Jaribu mwenyewe →

Mipangilio

FaraghaMashartiKuhusu© 2026 PrimeCalcPro