DevToolsForYou
Private by defaultRuns in your browser

JWT expiry visual timeline

Paste a JWT and see its full lifecycle on a timeline — issued, not-before, expiry, and whether it's currently active.

Quick samplesClick to load
Related toolsAll Encoding & security

Base64 Encoder and Decoder

Encode text to Base64 or decode Base64 back into readable text with Unicode-safe support.

URL Encoder and Decoder

Encode or decode URLs, query strings, and parameter values for safe transport across the web.

JWT Encoder and Decoder

Decode JWTs and generate signed or unsigned tokens in the browser.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text input.

HTML Escape Tool

Escape and unescape HTML entities for safe display in code, templates, and content.

Binary / Hex / Octal Converter

Convert numbers between binary, octal, decimal, and hexadecimal instantly — see all four bases at once.

Password Generator

Generate secure random passwords with configurable length, character sets, and a built-in strength indicator.

Password Strength Checker

Check password strength with entropy calculation, character composition analysis, and estimated crack times at different attack speeds.

HTTP Request Builder

Build, send, and inspect HTTP requests with custom headers, query params, and body — all in your browser.

HTTP Request Replay

Paste a curl command or raw HTTP request, edit any field, and replay it instantly. Supports all common curl flags, multi-line commands, and raw HTTP request format.

cURL to Code Converter

Convert any curl command into runnable code in JavaScript, Python, PHP, Go, Ruby, or Java — no signup required, all processing in the browser.

Base64 File Encoder / Decoder

Encode any file or text to Base64, or decode Base64 back to its original form. Supports images, PDFs, certificates, and any binary file — fully in-browser.

JWT Timeline

About this tool

Paste a JWT and see its issued-at, not-before, and expiry timestamps plotted on a visual timeline. Instantly know if a token is active, expired, or not yet valid — with all claims decoded inline.

No signup requiredRuns in your browserInstant results
How to use
  1. 1

    Paste your JWT into the input box.

  2. 2

    The header, payload, and signature are decoded and displayed.

  3. 3

    The visual timeline shows iat (issued), nbf (not before), exp (expiry), and the current time.

  4. 4

    Token status (Active, Expired, Not yet valid) is shown prominently at the top.

Why use this tool?

  • Debug an authentication issue by checking whether a JWT is already expired.

  • Verify the iat and exp of a token returned from a new auth flow.

  • Understand the nbf claim and why a freshly issued token might be rejected.

  • Share a decoded token view with a colleague for debugging without revealing the signing secret.

ExamplesInput → output

Sample JWT

InputeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
OutputDecoded payload with iat: 2018-01-18
Common errorsAnd how to fix them

Invalid JWT format

Cause: A JWT must have exactly three Base64URL-encoded segments separated by dots.

Fix: Make sure you paste the complete token. Tokens copied from DevTools or API responses sometimes have leading/trailing whitespace — trim it and try again.

No exp claim found

Cause: The token payload does not contain an exp (expiry) field. Not all JWTs have an expiry.

Fix: The timeline will still show iat and nbf if present. Check with your token issuer whether expiry is set.

Frequently asked questionsCommon questions answered

These answers explain common jwt timeline tasks, expected input formats, and edge cases so both visitors and search engines can understand what this tool does.

Is the JWT signature verified?

No. Signature verification requires the secret or public key, which this tool does not ask for. The tool only decodes the header and payload (which are public Base64URL data). Never share tokens containing sensitive user data.

What timestamp claims are visualised?

iat (issued at), nbf (not before), and exp (expiration). All are standard JWT registered claims defined in RFC 7519. If any are missing from the token, the timeline omits that marker.

Are token contents sent to a server?

No. Decoding is done entirely in JavaScript in your browser. The token never leaves your machine.

How is the current time shown on the timeline?

A 'now' marker is placed on the timeline relative to iat and exp. The token status — Active, Expired, or Not yet valid — is derived by comparing the current Unix timestamp to nbf and exp.

Related guidesAll guides →

How to Parse a JWT

A practical guide to reading and decoding JSON Web Tokens — understand the three-part structure, decode the header and payload, and know what to check before trusting a token.

Read guide →