How do I check if a JWT token is expired?
Checking JWT expiration is essential for secure authentication flows.
Understanding exp Claim:
The exp (expiration) claim is a Unix timestamp (seconds since January 1, 1970):
- Example:
1735689600represents a specific date and time - Compare it to current time to check if expired
- Standard JWT libraries automatically validate this
Manual Expiration Check:
- Decode the JWT to access the payload
- Extract the
expclaim value - Get current time as Unix timestamp:
Math.floor(Date.now() / 1000) - Compare: if
exp< current time, token is expired
Example in JavaScript:
const payload = JSON.parse(atob(token.split('.')[1]));
const currentTime = Math.floor(Date.now() / 1000);
const isExpired = payload.exp < currentTime;
What Happens When Expired:
- Server should reject the token with 401 Unauthorized
- Client should request a new token (refresh flow)
- User may need to re-authenticate
Handling Expiration:
- Check before sending: Avoid sending expired tokens
- Refresh tokens: Use refresh tokens to get new access tokens
- Grace period: Some systems allow a small buffer
- User experience: Automatically refresh or prompt re-login
Best Practices:
- Short expiration: Access tokens should expire quickly (5-30 minutes)
- Refresh tokens: Use longer-lived refresh tokens (hours to days)
- Proactive refresh: Refresh before expiration, not after
- Handle failures: Gracefully handle expired token errors
Using This Tool:
This JWT decoder shows:
- Whether a token is expired (red warning)
- Time until expiration (for valid tokens)
- Time since expiration (for expired tokens)
- Token age (time since
iat)
Regular expiration checking is crucial for maintaining secure sessions and good user experience in applications using JWT authentication.