JWT Clock Skew Check
Calculate deltas between JWT time claims and current time in your browser to spot failures beyond skew tolerance. Your input stays on your device.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste a JWT or payload JSON and click “Parse”. It shows time deltas and warnings.
Notes (this tool)
- No signature verification is performed.
About this page
What does this tool do?
Paste a JWT (or payload JSON) and it computes deltas between iat/nbf/exp and now.
It helps diagnose auth failures caused by clock skew or device time issues.
Typical use cases
- Rejected even though the token should be valid
- Failures near nbf time
- Suspect client device clock drift
What is clock skew?
When client/server clocks drift by seconds or minutes, nbf/exp evaluations can flip.
Many implementations allow a small leeway (tens of seconds).
What this tool does
- Show deltas between iat/nbf/exp and now
- Warn on abnormal future/past timestamps
- Accept JWT or payload JSON
Notes
- Signature verification is not performed (use JWT Verifier)
- Current time depends on the device clock
Debugging workflow (recommended)
- Paste tokens or authentication headers
- Check claims, auth scheme, and expiration
- Verify signature, scopes, and issuer with related tools
Operational notes
- Result output alone is not enough for trust decisions. Always validate signatures and issuer.
- Clock skew and environment differences affect reproducibility, so record test time and settings.
Referenced specs
- RFC 7519 (JSON Web Token)
FAQ
What is a common clock skew tolerance?
It depends on implementation, but many systems use tolerances from tens of seconds to a few minutes.
Where does clock skew typically originate?
Common causes are unsynced client clocks, server NTP issues, and timezone/config differences across environments.
References
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- JWT Verifier — Verify JWT signatures (HS/RS/ES)
- JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
- WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
- JWT Claim Audit — Audit missing required/recommended JWT claims
- OAuth Bearer Diagnostic — Diagnose consistency between Bearer and WWW-Authenticate
- JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
- Authorization Inspect — Parse Authorization header formats
- JWT Decoder — Decode and pretty-print JWT header/payload
Same-theme links
Auth
Trace auth failures across Bearer, WWW-Authenticate, and JWT
- OAuth Bearer Diagnostic — Diagnose consistency between Bearer and WWW-Authenticate
- JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
- JWT Claim Audit — Audit missing required/recommended JWT claims
- JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
- Authorization Inspect — Parse Authorization header formats
- WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
- JWT Decoder — Decode and pretty-print JWT header/payload
- JWT Verifier — Verify JWT signatures (HS/RS/ES)
Example
{"iat": 1710000000, "nbf": 1710000060, "exp": 1710003600}