JWT expiry check
Clientexp / nbf / iat vs local time—pair with JWT decode.
About JWT expiry check
See exp, nbf, and iat on a JWT vs your browser clock—expired or not-yet-valid hints; decode-only. The interactive transform on this page runs in your browser tab—Toolcore does not need your paste for the core operation described above.
How to use this page
Paste or type in the main workspace, run the primary action from the toolbar, then copy or download the result. Use Load example when the page offers it, or URL prefill (?q= / ?qb=) so agents and tickets open the same input.
Limits and safety
Utilities here are for development and inspection—do not paste live production keys, PANs, or recovery codes into any browser tab you do not control.
Reads exp, nbf, and iat against your browser clock. For full header/payload JSON, use JWT decode.
Token is expired (exp in the past).
| Claim | ISO time | Relative |
|---|---|---|
| iat | 2018-01-18T01:30:22.000Z | 3054d ago |
| nbf | 2020-09-13T12:26:40.000Z | 2084d ago |
| exp | 2023-11-14T22:13:20.000Z | 927d ago |
Nearby workflows on Toolcore
- JWT decode — Inspect JWT header and payload as JSON in browser; signature not verified. before you trust a token, digest, or key material in production.
- JWT sign & verify — Sign HS256/384/512 JWTs or verify HMAC signatures in the browser—pair with JWT decode for claims. before you trust a token, digest, or key material in production.
- JWT verify (RSA / ECDSA) — Verify RS256/384/512 or ES256/384/512 JWTs with a PEM public key in the browser—Web Crypto only. before you trust a token, digest, or key material in production.
- Unix timestamp converter — Epoch to date: seconds, milliseconds, ISO-8601, UTC and local time—in browser. before you trust a token, digest, or key material in production.
Common use cases
- Quickly see if a staging token is expired before debugging API 401s.
- Check nbf (not before) when clocks skew between issuer and client.
- Read iat alongside exp when reviewing token lifetime policy.
Common mistakes to avoid
Treating this as signature verification
This only reads time claims—it does not validate trust or integrity.
Ignoring clock skew
Comparison uses your device clock; large skew can mislead nbf/exp checks.
FAQ
Which claims are shown?
iat, nbf, and exp when present in the payload JSON.
Need full JSON?
Use JWT decode for header/payload pretty-printing.
More tools
Related utilities you can open in another tab—mostly client-side.
JWT decode
ClientInspect JWT header and payload as JSON in browser; signature not verified.
JWT sign & verify
ClientSign HS256/384/512 JWTs or verify HMAC signatures in the browser—pair with JWT decode for claims.
JWT verify (RSA / ECDSA)
ClientVerify RS256/384/512 or ES256/384/512 JWTs with a PEM public key in the browser—Web Crypto only.
Unix timestamp converter
ClientEpoch to date: seconds, milliseconds, ISO-8601, UTC and local time—in browser.