DevToolbox

Timestamps in JWT Tokens

How timestamps are used in JWT tokens: exp (expiration), iat (issued at), and nbf (not before). Learn validation, clock skew, and security best practices.

Format

exp / iat / nbf

Detailed Explanation

JSON Web Tokens (JWTs) use Unix timestamps in seconds for three standard claims that control token validity. Understanding these claims is essential for implementing secure authentication and authorization.

The three timestamp claims:

{
  "iat": 1704067200,    // Issued At: when the token was created
  "nbf": 1704067200,    // Not Before: token is invalid before this time
  "exp": 1704070800     // Expiration: token is invalid after this time
}

All three are seconds since the Unix epoch, as specified in RFC 7519. Using milliseconds here is a common mistake that produces tokens that appear to expire thousands of years in the future.

Validation logic:

function validateJWT(payload) {
  const now = Math.floor(Date.now() / 1000); // current time in seconds

  if (payload.exp && now >= payload.exp) {
    throw new Error("Token expired");
  }

  if (payload.nbf && now < payload.nbf) {
    throw new Error("Token not yet valid");
  }

  // iat is informational, not typically used for validation
}

Clock skew tolerance:

In distributed systems, server clocks are never perfectly synchronized. A token issued by Server A might appear to be from the future when verified by Server B if B's clock is slightly behind. To handle this, most JWT libraries accept a "clock tolerance" or "leeway" parameter, typically 30-60 seconds.

// jose library example
await jwtVerify(token, key, {
  clockTolerance: 60  // allow 60 seconds of clock skew
});

Security best practices:

  • Always set an exp claim. Tokens without expiration remain valid forever if compromised.
  • Keep access token lifetimes short (5-15 minutes). Use refresh tokens for longer sessions.
  • Use nbf for tokens that should only become valid at a specific future time (e.g., a pre-scheduled access grant).
  • Never trust the iat claim for security decisions — it is the token issuer's claim and could be fabricated.

Debugging JWTs: When debugging authentication failures, always compare the token's exp to the current server time. The most common issue is expired tokens, followed by clock skew between the issuer and verifier.

Use Case

An OAuth 2.0 authorization server must set short exp values on access tokens and validate nbf/exp on the resource server to prevent replay attacks with stolen tokens.

Try It — Timestamp Converter

Open full tool

Related Topics

Getting the Current Unix Timestamp

time()

Seconds vs Milliseconds Timestamps

1700000000 vs 1700000000000

UTC vs Local Time

UTC+0

Timestamps in HTTP Headers

Last-Modified / Expires

Converting Epoch to Human Date

1704067200 → 2024-01-01

ISO 8601 Date Format

2024-01-15T09:30:00Z