496+ Tools Comprehensive Tools for Webmasters, Developers & Site Optimization

OAuth Debugger - Debug OAuth 2.0 Flows & Decode JWT Tokens

OAuth Debugger

Debug OAuth 2.0 flows and decode JWT tokens to understand authentication and authorization.

Authorization Code

Description: Most secure flow for web applications. Involves redirecting user to authorization server, getting code, then exchanging for token.

Use Case: Web applications with backend

Flow Steps:
  1. User clicks "Login" in your app
  2. App redirects to authorization server with client_id and redirect_uri
  3. User logs in and grants permissions
  4. Authorization server redirects back with authorization code
  5. App exchanges code for access token (server-side)
  6. App uses access token to call APIs
Example Authorization URL:
https://oauth.provider.com/authorize?
  response_type=code&
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://yourapp.com/callback&
  scope=read write&
  state=random_string
Example Token Exchange:
POST https://oauth.provider.com/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=AUTHORIZATION_CODE&
redirect_uri=https://yourapp.com/callback&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET

Understanding OAuth 2.0 and JWT

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account.

What is JWT?

JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between parties. JWTs are commonly used as access tokens in OAuth 2.0 implementations.

JWT Structure:

A JWT consists of three parts separated by dots (.):

  • Header: Contains token type (JWT) and signing algorithm (HS256, RS256, etc.)
  • Payload: Contains claims (user data, expiration, etc.)
  • Signature: Ensures token hasn't been tampered with

Common JWT Claims:

  • iss (Issuer): Who issued the token
  • sub (Subject): Who the token is about (usually user ID)
  • aud (Audience): Who should accept the token
  • exp (Expiration): When the token expires (Unix timestamp)
  • iat (Issued At): When the token was issued
  • nbf (Not Before): Token not valid before this time

OAuth 2.0 Roles:

  • Resource Owner: The user who owns the data
  • Client: The application requesting access
  • Authorization Server: Issues access tokens
  • Resource Server: Hosts protected resources (API)

Security Best Practices:

  • Always use HTTPS for OAuth flows
  • Validate JWT signature before trusting the payload
  • Check token expiration (exp claim)
  • Use short-lived access tokens (15-60 minutes)
  • Store tokens securely (never in localStorage for sensitive apps)
  • Use PKCE (Proof Key for Code Exchange) for public clients
  • Rotate refresh tokens after use

Common OAuth Providers:

  • Google: OAuth 2.0 for Gmail, Drive, Calendar
  • GitHub: OAuth for repository access
  • Facebook: OAuth for social login
  • Auth0: Third-party authentication service
  • Okta: Enterprise identity management

Related Tools: