OAuth / OIDC
OAuth Token Inspector
Works locally in your browser — no requests sent to a server.
Optional: verify HS* signature
Only applies if the token header uses HS256/HS384/HS512 (HMAC).
Overview
Header details and common OAuth/OIDC hints.
typ
—
kid
—
format
Opaque/unknown
Header (decoded)
—Payload (decoded)
—Signature (raw)
—JWT vs opaque tokens
Some OAuth servers issue JWTs (self-contained claims). Others issue opaque tokens that only the authorization server can interpret.
Safe handling tips
- Prefer pasting test tokens, not production secrets.
- Never share refresh tokens in screenshots or logs.
- If your token uses RS256/ES256, verification needs the issuer’s public key (JWK).
Common claims
Time
exp, iat, nbf
Identity / audience
iss, sub, aud, azp
How it works
Extracts a bearer token, decodes JWT segments locally, highlights common OAuth/OIDC claims, and can verify HS256/384/512 signatures using your provided secret.
- Opaque tokens will not decode; this page still shows safe-handling tips.
- Signature verification here is HMAC-only; RS/EC keys need the issuer JWKs.
Quick examples
Paste access tokens safely; avoid production secrets.
Mini FAQ
Why no RS256 verification?
It needs the issuer public keys (JWKs); this page keeps things local.
Token looks opaque?
Some providers issue opaque access tokens; introspection is required server-side.
Does copying the token send it anywhere?
No; all parsing and verification stay in your browser.
Related tools