JWT Expiry Checks Fail Due to Seconds vs Milliseconds Mismatch
A common bug in client-side JWT handling causes incorrect expiry checks because developers compare Date.now(), which returns milliseconds, against the JWT's exp field, which stores time in seconds per RFC 7519. This 1000x unit mismatch means either every token appears instantly expired or no token ever expires, depending on how the comparison is written. The fix is straightforward: multiply the JWT's exp value by 1000 before comparing, or divide Date.now() by 1000, and apply the same logic to the iat and nbf fields. Developers are also advised to add a small clock-skew buffer of around 30 seconds to avoid prematurely invalidating near-expiry tokens. Critically, decoding a JWT on the client only reads its payload and does not verify authenticity — signature validation must always be performed server-side on every protected request.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in