Debug JWT exp, iat and nbf Claims

JWT time bugs often come from seconds versus milliseconds, timezone confusion or trusting decoded payloads without signature verification.

Workflow

  1. Decode the JWT header and payload without treating decoded data as trusted.
  2. Convert exp, iat and nbf claims from Unix seconds to readable UTC time.
  3. Compare token time claims with current server time, not only browser time.
  4. Check issuer, audience and subject claims against the application configuration.
  5. Verify the JWT signature with the correct secret or public key on the server.

Checks before production

  • JWT exp, iat and nbf are usually Unix timestamps in seconds.
  • JavaScript Date.now returns milliseconds, which can create broken tokens if copied directly.
  • Decoded payload inspection is useful for debugging but not proof of trust.
  • Clock skew between servers can break valid-looking tokens.

FAQ

Can I trust a decoded JWT?

No. You must verify the signature and expected claims before trusting it.

Why is my token expired immediately?

A common cause is using milliseconds where the token expects seconds.

Related tools

JWT JWT Decoder

Decode JWT header and payload locally, inspect common claims, and catch expiration or audience mistakes without sending tokens to an API.

Open tool Time Unix Timestamp Converter

Convert Unix timestamps to readable dates, generate current timestamps and debug log, JWT and scheduling issues.

Open tool JSON JSON Validator and Formatter

Validate JSON, format it for reading, or minify it for compact API payloads without sending data to an external API.

Open tool

Last updated: May 18, 2026