About JWT Timeline

Decode JWT + show iat / nbf / exp as ISO + delta from now. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

• Backend developers debugging expired token errors in API responses
• Security engineers verifying token lifetimes comply with security policies
• DevOps teams troubleshooting clock skew issues between microservices
• QA testers checking that token expiry matches the configured TTL

Tips

• Paste a JWT to see iat, nbf, and exp as readable ISO timestamps
• Check the delta from now to see if a token is expired or not yet valid
• Use it to debug token lifetime issues in OAuth and API authentication

Fun Facts

• JWT timestamps use Unix epoch seconds (seconds since January 1, 1970), not milliseconds — a common source of bugs when JavaScript's Date.now() returns milliseconds.
• The 'nbf' (not before) claim is often overlooked but is critical for tokens issued slightly before the recipient's clock — clock skew of 30-60 seconds is common.
• JWTs with no 'exp' claim never expire, which is a security risk. OWASP recommends access tokens expire in 5-15 minutes and refresh tokens in 7-30 days.

FAQ

What's the timeline view?

Shows iat (issued at), nbf (not before), and exp (expiration) as timestamps with visual timeline. Plus delta from now (+15 minutes, -3 hours).

Why is this useful?

Auth debugging — when a token is rejected, knowing whether it's not-yet-valid, expired, or in the wrong time zone speeds diagnosis.

What about clock skew?

Yes — the tool shows relative time. Some auth servers allow ±30s clock skew; the timeline makes clock-drift issues visible.

Does it validate the signature?

No — just shows the timestamps. Use JWT Encoder/Decoder for signature operations. Timeline focuses on the time-related claims.