OAuth Token Inspector

Works locally in your browser — no requests sent to a server.

Local only Decode + highlight claims

Tokenpaste JWT or "Bearer …"

Opaque/unknown Length: 0

Optional: verify HS* signature

Only applies if the token header uses HS256/HS384/HS512 (HMAC).

Provide a secret to verify HS* tokens (optional).

Overview

Header details and common OAuth/OIDC hints.

alg: —

typ

—

kid

—

format

Opaque/unknown

Paste a token to see decoded claims here.

Header (decoded)

—

Payload (decoded)

—

Signature (raw)

—

JWT vs opaque tokens

Some OAuth servers issue JWTs (self-contained claims). Others issue opaque tokens that only the authorization server can interpret.

Safe handling tips

Prefer pasting test tokens, not production secrets.
Never share refresh tokens in screenshots or logs.
If your token uses RS256/ES256, verification needs the issuer’s public key (JWK).

Common claims

Time

exp, iat, nbf

Identity / audience

iss, sub, aud, azp