Skip to main content
Calkulon

How to Calculate JWT Decoder & Expiry

What is JWT Decoder & Expiry?

The JWT Decoder & Expiry Calculator parses a JSON Web Token (RFC 7519), decodes its base64url-encoded header and payload, and analyzes claims including expiration time (exp), issued-at (iat), not-before (nbf), subject (sub), issuer (iss), and audience (aud). JWTs are the standard token format for stateless authentication in modern web APIs, used by OAuth2/OIDC providers (Auth0, Okta, AWS Cognito, Clerk, Firebase) and most session systems.

Formula

JWT = base64url(header) + "." + base64url(payload) + "." + base64url(signature); Expiry valid if exp > Math.floor(Date.now()/1000)
header
Header (JSON) — Algorithm (alg) and token type (typ)
payload
Payload (JSON) — Claims about subject — exp, iat, sub, iss, custom claims

Step-by-Step Guide

  1. 1Paste the full JWT token into the input field
  2. 2Calculator splits the token on periods into 3 parts: header.payload.signature
  3. 3Each part is base64url-decoded (URL-safe base64 variant with - / _ instead of + / and no padding)
  4. 4Header and payload are parsed as JSON
  5. 5Calculator extracts standard claims: exp (expiration), iat (issued at), nbf (not before), sub, iss, aud
  6. 6Status checked: expired if exp < current time; expiring-soon if < 7 days; not-yet-valid if nbf > current; valid otherwise
  7. 7Signature is shown but NOT verified — verification requires the issuer's public key or shared secret

Worked Examples

Input
Standard JWT with exp claim set to future date
Result
Valid, algorithm HS256, expires in X days
Input
Expired token (exp in past)
Result
EXPIRED status, days since expiry shown
Input
Malformed token (not 3 parts)
Result
Error — Invalid JWT format

Common Mistakes to Avoid

  • Confusing decode with verify — this tool only decodes; signature verification requires the secret/public key
  • Trusting unverified JWT contents — never use decoded payload in security decisions without verifying signature first
  • Storing JWTs in localStorage with sensitive data — vulnerable to XSS; use httpOnly cookies for production
  • Forgetting to handle clock skew — allow 30-60 seconds tolerance on exp/nbf comparisons between servers

Frequently Asked Questions

Is JWT decoding the same as verifying?

No. Decoding extracts the contents anyone can read. Verification cryptographically checks the signature using the secret (HMAC) or public key (RSA/ECDSA). Always verify before trusting token contents.

Where should I store JWTs?

For browser apps: httpOnly secure cookies (not localStorage — XSS vulnerable). For mobile: secure keychain/keystore. For server-to-server: environment variables or secret managers.

How long should JWT expiration be?

Short-lived access tokens (15-60 minutes) paired with longer refresh tokens (days/weeks). Avoid tokens that don't expire — revocation becomes nearly impossible.

Ready to calculate? Try the free JWT Decoder & Expiry Calculator

Try it yourself →

Settings

PrivacyTermsAbout© 2026 Calkulon