Home/Security Tools/OAuth token inspector

OAuth / OIDC

OAuth Token Inspector

Works locally in your browser — no requests sent to a server.

Local only Decode + highlight claims
Tokenpaste JWT or "Bearer …"
Opaque/unknown Length: 0

Optional: verify HS* signature

Only applies if the token header uses HS256/HS384/HS512 (HMAC).

Provide a secret to verify HS* tokens (optional).

Overview

Header details and common OAuth/OIDC hints.

alg: —

typ

kid

format

Opaque/unknown

Paste a token to see decoded claims here.

Header (decoded)

Payload (decoded)

Signature (raw)

JWT vs opaque tokens

Some OAuth servers issue JWTs (self-contained claims). Others issue opaque tokens that only the authorization server can interpret.

Safe handling tips

  • Prefer pasting test tokens, not production secrets.
  • Never share refresh tokens in screenshots or logs.
  • If your token uses RS256/ES256, verification needs the issuer’s public key (JWK).

Common claims

Time

exp, iat, nbf

Identity / audience

iss, sub, aud, azp

How it works

Extracts a bearer token, decodes JWT segments locally, highlights common OAuth/OIDC claims, and can verify HS256/384/512 signatures using your provided secret.

  • Opaque tokens will not decode; this page still shows safe-handling tips.
  • Signature verification here is HMAC-only; RS/EC keys need the issuer JWKs.

Quick examples

Bearer JWT
Authorization: Bearer eyJhbGciOi...
Decodes header/payload; alg=HS256
Verify signature
Secret: stackatlas
Status: Signature matches

Paste access tokens safely; avoid production secrets.

Mini FAQ

Why no RS256 verification?

It needs the issuer public keys (JWKs); this page keeps things local.

Token looks opaque?

Some providers issue opaque access tokens; introspection is required server-side.

Does copying the token send it anywhere?

No; all parsing and verification stay in your browser.