JWT Expiration Handling — exp Claim Best Practices

Understanding exp

The exp (expiration) claim defines when a token becomes invalid. It is a NumericDate — seconds since Unix epoch. Our Expiry Checker shows exact expiry and time remaining.

Server Validation

jwt.verify(token, secret, {
  clockTolerance: 30, // 30s skew
});

Refresh Pattern

When access token expires, exchange refresh token for new pair. Implement rotation to detect theft. See Refresh Token Rotation.

Client UX

Decode exp client-side to show "session expiring" warnings. Redirect to login when refresh fails. Never extend exp client-side.

Related Errors

See Token Expired and JWT Expired Token Fix.

Understanding JWT Expiration Handling — exp Claim Best Practices in Production

Developers search for JWT Expiration Handling — exp Claim Best Practices when building API authentication with JSON Web Tokens. JWTs are used by OAuth 2.0, OpenID Connect, Auth0, Firebase, AWS Cognito, and Keycloak. Always validate exp, iss, and aud server-side — decoding alone proves nothing about authenticity.

JWT Structure Recap

Every JWT has three dot-separated segments: header (algorithm), payload (claims), signature (proof). Use JWT Decoder to inspect and JWT Validator to verify before trusting any claim value in production code.

Common Pitfalls

• Algorithm confusion (none attack) — whitelist allowed algorithms
• Secrets in the payload — payload is only Base64-encoded, not encrypted
• Ignoring clock skew on exp and nbf
• Weak HMAC secrets — use 256-bit random keys
• Skipping signature verification — always call verify(), not decode()
• Storing tokens in localStorage — XSS can steal them

Further Reading

Browse related resources: JWT Decoder, JWT Validator, JWT Basics, JWT Authentication, JWT Errors, Algorithms, Glossary, and Learning Path.