JWT Expiry Calculator

Frequently Asked Questions

What TTL should access tokens use?

5-15 minutes is the modern recommendation for access tokens - short enough to limit damage from leakage, long enough to reduce refresh frequency. Pair with refresh tokens that last hours to days.

Can I extend a token's lifetime?

No - the exp claim is cryptographically signed, so it cannot be changed without invalidating the signature. Use a refresh token to obtain a new access token before the old one expires.

What is clock skew and why does it matter?

Clock skew is the difference between clocks on different servers. A token expiring at T may be rejected by a server with a slightly ahead clock. JWT libraries include configurable leeway (commonly 30-60 seconds) to tolerate minor skew.

What if there is no exp claim?

The token never expires by time - a security risk because leaked tokens remain valid indefinitely. Always include an expiry, and implement server-side revocation for critical operations.

Provided by AllCalculators.io
Free online calculators for everyday. No registration required.

Estimates for informational purposes only.

Important Disclaimer: Estimates for informational purposes only.

This calculator provides estimates for informational purposes only. Results are based on assumptions and may not reflect actual outcomes. Consult qualified professionals in relevant fields before making important decisions based on these results.

JavaScript is required to use the interactive calculator above. The questions and answers below remain readable without JavaScript.

How It Works

A JSON Web Token (JWT) carries two standard time claims: iat (issued-at) and exp (expires-at), both expressed as Unix timestamps - whole seconds since 1970-01-01 00:00:00 UTC. When an auth server mints a token it sets exp = iat + TTL, where TTL is the configured token lifetime.

This calculator works in two modes. In iat + TTL mode, provide an issue timestamp (or leave it blank to use now) and a lifetime value with a unit, and it returns the exact exp value, its ISO-8601 form, and a human countdown to expiry. In exp claim mode, paste the raw integer from a decoded JWT payload and it tells you whether the token is currently valid and how much time remains.

Use Cases

JWT time math comes up regularly in authentication and authorization work:

Verifying that a new auth server configuration produces the expected token lifetime before deploying to production

Debugging a 'token expired' error by checking whether the server and client clocks are synchronized

Quickly checking whether a token from a log or debug trace is still valid without manually computing Unix timestamps

Documenting token lifetimes in architecture decisions (access token 15 min, refresh token 7 days, etc.)

Checking the expiry when investigating session management issues reported by users

Tips

JWT NumericDate is always in seconds since the Unix epoch, never milliseconds. A millisecond timestamp is 1,000x too large and will show a year in the far future (around year 56000).

Short-lived access tokens (5-15 minutes) paired with longer-lived refresh tokens (hours to days) are the modern standard - they minimize the blast radius of a leaked access token.

Always set an exp claim. Tokens without an expiry remain valid forever, which is a significant security risk if they are ever leaked.

JWT verifiers typically allow a small clock skew tolerance (30-60 seconds) so that tokens don't immediately fail due to minor time synchronization differences between servers.

The JWT payload is only Base64url-encoded, not encrypted - never put secrets or sensitive personal data in a JWT payload unless you use JWE (JSON Web Encryption).

FAQ

What TTL should access tokens use?

5-15 minutes is the modern recommendation for access tokens - short enough to limit damage from token leakage, long enough to reduce the frequency of refresh operations. Pair with refresh tokens that last hours to days depending on your security requirements.

Can I extend a token's lifetime?

No - the exp claim is cryptographically signed into the token, so it cannot be changed without invalidating the signature. The standard approach is to use a refresh token to obtain a new access token before the old one expires.

What is clock skew and why does it matter?

Clock skew is the difference between the clocks on different servers. A token that expires at T may be rejected by a server whose clock is slightly ahead, or accepted by one slightly behind. Most JWT libraries include a configurable leeway (commonly 30-60 seconds) to tolerate minor skew.

What if there is no exp claim?

The token never expires by time. This is a security risk because leaked tokens remain valid indefinitely. Always include an expiry, and implement server-side token revocation (blocklist) for critical operations like password reset tokens.

JWT Expiry Calculator

Frequently Asked Questions

Related Developer Tools Calculators