Understand JWT time claims — issued at, expiration, and not before. Decode tokens and debug auth failures safely in the browser.
Registered Timing Claims in JWT
JSON Web Tokens, defined across the JOSE family of RFCs including RFC 7519 for JWT, carry claims that assert identity and context. Among the registered claims, iat (issued at), exp (expiration), and nbf (not before) govern temporal validity. They are NumericDate values—seconds since the Unix epoch—unless your stack documents otherwise. Misreading milliseconds as seconds is a notorious bug that makes tokens appear expired instantly or valid for decades. The JWT Decoder on ToolsFree.org decodes payloads so you can read these fields without writing throwaway scripts.
Timing claims do not replace revocation, password changes, or permission updates. A token can be unexpired yet unacceptable if your server blacklists it or if the user lost privileges. Treat exp as a necessary bound on reuse, not as a complete security strategy. Pair short-lived access tokens with refresh flows or session stores when you need tighter control. Decode production-like samples during design reviews so product and security engineers share the same mental model.
Mobile apps should surface friendly session expiry messaging rather than cryptic JWT errors when exp passes during backgrounding. Coordinate silent refresh before visible failure whenever the platform allows secure token storage. Measure how often refresh fails due to revoked sessions versus simple expiry so product and security teams can tune lifetimes together. Clear UX around timing claims reduces password reset volume that has nothing to do with forgotten credentials and everything to do with aggressive absolute timeouts.
iat: Capturing When the Token Was Created
The iat claim records issuance time and helps detect clock-skew anomalies, compute token age, and enforce maximum lifetimes independent of exp in some policies. Servers may reject tokens whose iat sits too far in the future, which can indicate misconfigured client clocks or tampering. Logging iat alongside request IDs speeds incident response when users report sudden logouts. Keep iat in UTC epoch seconds and avoid locale-formatted strings inside JWT payloads.
Some libraries set iat automatically when signing; others require you to supply it. Be consistent across services that mint tokens. If you embed both iat and a custom issued_at string, you invite drift. Prefer the registered claim. When debugging, convert epoch values with the Timestamp Converter to human-readable UTC and local time so support staff can correlate events with application logs.
When integrating multiple issuers, keep clock skew policy consistent or you will see intermittent failures only for one identity provider. Document leeway seconds beside each issuer entry in configuration. Alert when reject rates for nbf or exp spike after a deploy that touches time utilities. The Timestamp Converter helps humans convert epochs while comparing provider documentation examples against tokens you mint in staging during certification tests with partners.
exp: Defining the Hard Stop for Acceptance
Receivers must reject tokens with exp in the past, with a small optional leeway for clock skew as suggested by common implementation practice. Access tokens often expire in minutes; refresh tokens or ID tokens may last longer depending on the identity protocol in play. Public clients should use shorter lifetimes because token theft from browsers is a realistic threat. Document lifetimes in your OAuth or OIDC configuration, not only in tribal knowledge.
Never put long-lived tokens in localStorage without additional defenses if XSS is possible; prefer httpOnly cookies with careful CSRF protections when browsers are involved. For machine-to-machine APIs, short exp plus mTLS or proof-of-possession improves posture. Decode tokens in the JWT Decoder during QA to confirm the exp you configured is the exp you actually mint. Configuration bugs frequently mint eight-hour tokens when you intended eight minutes.
- Reject exp in the past (plus small skew leeway)
- Keep access token lifetimes short for public clients
- Document TTL in identity provider configuration
- Verify minted tokens during QA by decoding claims
nbf: Delaying Validity Intentionally
The nbf claim marks the moment before which a token must not be accepted. It is useful for scheduled credential activation, future-dated vouchers, or mitigating race conditions when clocks differ slightly across nodes. If nbf is absent, tokens are eligible immediately subject to other checks. Setting nbf equal to iat is redundant but sometimes appears in generated tokens from certain libraries.
Clock skew between issuer and audience is the main operational hazard. If audience clocks run fast, tokens look not-yet-valid; if they run slow, exp fails early. Monitor NTP synchronization on authenticating hosts. Allow a modest leeway window—often tens of seconds—without expanding it so far that stolen tokens gain meaningful extra life. Record skew-related rejects distinctly in metrics so you can tell infrastructure problems from attacks.
Validation Order and Library Pitfalls
A robust validator verifies signature and cryptographic algorithm first, then audience and issuer, then timing claims, then custom application claims. Skipping signature checks because you “only want to read exp” is dangerous if the decode path ever becomes the accept path. Use well-maintained libraries and pin algorithms; reject alg=none. RFC 8725 discusses JWT best current practices worth reading before production rollout.
Base64URL encoding of JWT segments differs from standard Base64; padding is often omitted. When manual debugging, the Base64 Encoder and JWT Decoder together clarify whether a segment is malformed. Pretty-print JSON payloads with the JSON Formatter after decoding if you need to share redacted claims in a ticket. Never paste live refresh tokens into shared channels.
{
"sub": "user_123",
"iat": 1710000000,
"nbf": 1710000000,
"exp": 1710003600,
"iss": "https://auth.example.com/",
"aud": "api.example.com"
}
Refresh Strategies and Sliding Sessions
Short exp on access tokens forces refresh flows that renew credentials without collecting passwords again. Sliding sessions extend validity on activity, but you must still enforce absolute session limits to contain stolen credentials. Rotate refresh tokens and detect reuse to catch theft. Align mobile offline tolerance with security requirements; endless offline access conflicts with rapid revocation goals.
Server-side session stores can invalidate quickly at the cost of added state. Stateless JWT access tokens scale horizontally but complicate instant revocation. Many architectures combine both: JWT for short access, server state for refresh and revocation lists. Choose explicitly and test logout across devices. Timing claims alone will not save a design that mints week-long bearer tokens for browsers.
Debugging Expiration Bugs in Production
Collect the failing token only with user consent and redaction, decode it, and convert iat/exp/nbf through the Timestamp Converter. Compare application server time, identity provider time, and client device time. Look for millisecond/second mismatches, incorrect time zones applied before epoch conversion, and load balancers routing to hosts with drifted clocks. Metrics on auth reject reasons should distinguish expired versus not-yet-valid versus bad signature.
Reproduce with tokens minted in staging at known timestamps. Freeze clocks in tests using dependency injection rather than sleeping. When distributed tracing is available, attach token age histograms to spans. Share a short runbook on ToolsFree.org tool usage so on-call engineers decode claims consistently without installing new CLI utilities during an incident.
Practical Checklist Before You Ship Auth Changes
Confirm registered claims use seconds, signatures validate with the intended keys, and audiences match each API. Set explicit exp for every token type and verify with the JWT Decoder. Add monitors for spikes in expiration failures after deploys. Review RFC 7519 claim definitions and RFC 8725 practices during security review. Keep secrets for signing in a KMS rather than application config files.
Educate frontend teams not to parse JWT payloads for authorization decisions that the server must enforce anyway. Client-side decoding is fine for UX display of expiry, not for access control. Browse related utilities on All Tools when your auth debugging also involves JSON formatting or Base64URL inspection. Solid timing claims are a small slice of auth—but getting them wrong causes some of the noisiest production outages.
- Signature and alg checks before trust
- iat/exp/nbf in NumericDate seconds
- Short access TTLs plus refresh strategy
- Clock sync and skew leeway monitored

Decode a JWT and inspect iat, exp, and nbf claims in your browser. JWT Decoder →