如何计算JWT Decoder & Expiry

learn.whatIsHeading

The JWT Decoder & Expiry Calculator parses a JSON Web Token (RFC 7519), decodes its base64url-encoded header and payload, and analyzes claims including expiration time (exp), issued-at (iat), not-before (nbf), subject (sub), issuer (iss), and audience (aud). JWTs are the standard token format for stateless authentication in modern web APIs, used by OAuth2/OIDC providers (Auth0, Okta, AWS Cognito, Clerk, Firebase) and most session systems.

公式

header

Header (JSON) — Algorithm (alg) and token type (typ)

payload

Payload (JSON) — Claims about subject — exp, iat, sub, iss, custom claims

分步指南

1. 1Paste the full JWT token into the input field
2. 2Calculator splits the token on periods into 3 parts: header.payload.signature
3. 3Each part is base64url-decoded (URL-safe base64 variant with - / _ instead of + / and no padding)
4. 4Header and payload are parsed as JSON
5. 5Calculator extracts standard claims: exp (expiration), iat (issued at), nbf (not before), sub, iss, aud
6. 6Status checked: expired if exp < current time; expiring-soon if < 7 days; not-yet-valid if nbf > current; valid otherwise
7. 7Signature is shown but NOT verified — verification requires the issuer's public key or shared secret

例题解析

常见错误注意事项

• ✕Confusing decode with verify — this tool only decodes; signature verification requires the secret/public key
• ✕Trusting unverified JWT contents — never use decoded payload in security decisions without verifying signature first
• ✕Storing JWTs in localStorage with sensitive data — vulnerable to XSS; use httpOnly cookies for production
• ✕Forgetting to handle clock skew — allow 30-60 seconds tolerance on exp/nbf comparisons between servers

常见问题