JWT Clock Skew Check
Inspect auth headers and token data in your browser. No input is sent to a server. Use it for first-pass checks on expiry, claims, and schemes.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste a JWT or payload JSON and click “Parse”. It shows time deltas and warnings.
Notes (this tool)
- No signature verification is performed.
About this page
What does this tool do?
Paste a JWT (or payload JSON) and it computes deltas between iat/nbf/exp and now.
It helps diagnose auth failures caused by clock skew or device time issues.
Typical use cases
- Rejected even though the token should be valid
- Failures near nbf time
- Suspect client device clock drift
What is clock skew?
When client/server clocks drift by seconds or minutes, nbf/exp evaluations can flip.
Many implementations allow a small leeway (tens of seconds).
What this tool does
- Show deltas between iat/nbf/exp and now
- Warn on abnormal future/past timestamps
- Accept JWT or payload JSON
Notes
- Signature verification is not performed (use JWT Verifier)
- Current time depends on the device clock
Debugging workflow (recommended)
- Paste tokens or authentication headers
- Check claims, auth scheme, and expiration
- Verify signature, scopes, and issuer with related tools
Operational notes
- Result output alone is not enough for trust decisions. Always validate signatures and issuer.
- Clock skew and environment differences affect reproducibility, so record test time and settings.
Referenced specs
- RFC 7519 (JSON Web Token)
FAQ
What is a common clock skew tolerance?
It depends on implementation, but many systems use tolerances from tens of seconds to a few minutes.
Where does clock skew typically originate?
Common causes are unsynced client clocks, server NTP issues, and timezone/config differences across environments.
References
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- JWT Verifier — Verify JWT signatures (HS/RS/ES)
- JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
- WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
- JWT Claim Audit — Audit missing required/recommended JWT claims
- OAuth Bearer Diagnostic — Diagnose consistency between Bearer and WWW-Authenticate
- JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
- Authorization Inspect — Parse Authorization header formats
- JWT Decoder — Decode and pretty-print JWT header/payload
Same-theme links
Auth
Trace auth failures across Bearer, WWW-Authenticate, and JWT
- OAuth Bearer Diagnostic — Diagnose consistency between Bearer and WWW-Authenticate
- JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
- JWT Claim Audit — Audit missing required/recommended JWT claims
- JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
- Authorization Inspect — Parse Authorization header formats
- WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
- JWT Decoder — Decode and pretty-print JWT header/payload
- JWT Verifier — Verify JWT signatures (HS/RS/ES)
Example
{"iat": 1710000000, "nbf": 1710000060, "exp": 1710003600}