OAuth2 Token Debugger - Decode Tokens & Parse Auth URLs
Free online OAuth2 token debugger. Decode JWT access tokens and id tokens, parse OAuth2 authorization URLs, and inspect OIDC parameters.
What Is an OAuth2 Token Debugger?
An OAuth2 Token Debugger is a developer tool for inspecting OAuth2 and OpenID Connect (OIDC) authentication flows. It can decode JWT-format access tokens and ID tokens to reveal their header and payload claims, and it can parse OAuth2 authorization URLs to extract parameters like client_id, redirect_uri, scope, response_type, state, and PKCE challenges. This makes it easier to troubleshoot authentication issues, verify token contents, and understand authorization request parameters during development.
How to Use the OAuth2 Token Debugger
- Select the 'Decode Token' tab to inspect a JWT token, or 'Parse Auth URL' to analyze an authorization URL.
- For token decoding, paste your access_token or id_token. The tool decodes the JWT header and payload and displays them as formatted JSON.
- For URL parsing, paste a full OAuth2 authorization URL (e.g., from your browser address bar during a login flow).
- The URL parser extracts and labels all query parameters, highlighting known OAuth2 parameters like client_id, scope, and PKCE fields.
- Review the extracted information to verify your OAuth2 configuration is correct.
Common Use Cases
- Debugging Login Flows — When an OAuth2 login flow fails, paste the authorization URL to verify that client_id, redirect_uri, and scope parameters are set correctly.
- Inspecting ID Tokens — After an OIDC authentication, decode the id_token to verify the user's identity claims such as email, name, and audience.
- PKCE Verification — Check that your authorization request includes the correct code_challenge and code_challenge_method parameters for PKCE flows.
- Token Scope Validation — Decode access tokens to verify that the granted scopes match what your application requested and needs.
FAQ
What types of tokens can this tool decode?
This tool can decode any JWT (JSON Web Token) format token, which includes most OAuth2 access tokens and all OIDC ID tokens. Opaque tokens (random strings without JWT structure) cannot be decoded as they contain no readable claims.
What is PKCE and why do I see code_challenge in the URL?
PKCE (Proof Key for Code Exchange) is a security extension for OAuth2 that prevents authorization code interception attacks. The code_challenge parameter in the authorization URL is a hashed version of a secret that the client will later prove it knows during the token exchange.
Why is the state parameter important in OAuth2?
The state parameter is a CSRF protection mechanism. Your application generates a random value, includes it in the authorization request, and verifies it matches when the user is redirected back. This prevents attackers from forging authorization responses.