What is the difference between a JWT access token and an opaque token?

A JWT (JSON Web Token) is self-contained: it encodes claims (subject, scopes, expiry) in a base64url payload that any party can decode without contacting the authorisation server. An opaque token is an opaque string — typically a random identifier — whose claims are stored server-side. To validate an opaque token you must call your authorisation server's introspection endpoint (RFC 7662).

What is an OIDC ID token?

An OpenID Connect (OIDC) ID token is a JWT issued alongside an OAuth access token when the 'openid' scope is requested. It contains identity claims about the authenticated user such as sub (user identifier), name, email, and nonce. Unlike an access token, the ID token is intended for the client application, not for calling APIs.

Why does this tool not verify the JWT signature?

Signature verification requires the secret key (for HMAC algorithms like HS256) or the issuer's public key (for RSA/EC algorithms like RS256, ES256). This tool focuses on decoding and structural analysis so you can inspect claims quickly without needing credentials. Use a dedicated JWT validator with your secret/public key to verify the signature.

What does the entropy score mean for opaque tokens?

Shannon entropy measures the randomness of the token's characters. A score above 4.0 bits/char indicates high randomness (good). Between 3.0 and 4.0 is medium. Below 3.0 suggests the token may be sequential, predictable, or not cryptographically random — which is a security concern for bearer tokens.

What is the scope claim in an OAuth token?

The scope claim lists the permissions granted to the access token, as a space-separated string (e.g. 'openid profile email read:orders'). Each scope represents a permission that the client application was authorised to use. The resource server checks scopes to decide whether to honour a request.

What does 'alg: none' mean and why is it dangerous?

An algorithm of 'none' means the JWT carries no signature — it is unsigned. Some broken implementations accept these tokens, allowing an attacker to forge arbitrary claims. The tool always warns when it detects alg: none. Never accept unsigned JWTs in production.

Is my OAuth token safe to paste here?

Yes. All decoding and analysis happens entirely in your browser using JavaScript. Your token is never sent to any server. However, as a general best practice, avoid pasting production access tokens into any online tool unless you understand the risk of token theft. Rotate any token that may have been exposed.

OAuth Token Validator — Decode & Inspect OAuth Tokens | 100Plus Tools

Loading tool...

How to Use OAuth Token Validator

How to Use the OAuth Token Validator:

Paste Your Token: Copy the OAuth token from your application — this can be a JWT access token, an OIDC ID token, or an opaque bearer token — and paste it into the input field.
Click "Validate Token": The tool detects the token type automatically. JWT tokens (which start with "eyJ" and have three dot-separated parts) are decoded and inspected. All other tokens are treated as opaque.
JWT Tokens — Inspect Claims: For JWT tokens, the tool displays:
- Algorithm from the header (e.g. HS256, RS256, ES256)
- Expiry status — whether the token is currently active or expired
- Scopes — the OAuth scopes granted to the token, shown as coloured badges
- OAuth Claims table — subject (sub), issuer (iss), audience (aud), client ID (client_id or azp), and JWT ID (jti)
- Timing panel — issued-at, not-before, and expires-at in local time
- Full Payload and Header — collapsible JSON panels with copy support
Opaque Tokens — Analyse Format: For non-JWT tokens, the tool shows:
- Token length in characters
- Shannon entropy — a measure of randomness (higher is better; < 3.0 bits/char suggests a sequential or weak token)
- Character set — whether the token uses alphanumeric, base64url, or mixed characters
- A note that opaque tokens must be validated via your authorisation server's introspection endpoint (RFC 7662)
Review Warnings: The tool surfaces issues such as expired tokens, missing scope or issuer claims, and the dangerous "alg: none" case.

Notes:

Signature verification is not performed — the tool only decodes and analyses the token structure.
Your token is never sent to any server. All processing happens in your browser.

Frequently Asked Questions

Most Viewed Tools

📺

Screen Size Converter

791 views

Calculate screen width and height from diagonal size and aspect ratio. Convert between inches and centimeters for displays, TVs, and monitors with instant dimension calculations.

Use Tool →

🖨️

DPI Calculator

303 views

Calculate DPI (dots per inch), image dimensions, and print sizes. Convert between pixels and physical dimensions for printing and displays.

Use Tool →

📄

Paper Size Converter

270 views

Convert between international paper sizes (A4, Letter, Legal) with dimensions in mm, cm, and inches. Compare ISO A/B series and North American paper standards.

Use Tool →

⛽

Fuel Consumption Converter

255 views

Convert between MPG (miles per gallon), L/100km (liters per 100 kilometers), and other fuel efficiency units. Compare car fuel economy across different measurement systems.

Use Tool →

✂️

CSV Splitter

231 views

Split large CSV files into smaller files by number of rows. Process large datasets in manageable chunks instantly.

Use Tool →

🛍️

Product Schema Generator

230 views

Generate JSON-LD Product schema markup for SEO. Add product details like name, price, brand, rating, and availability to create structured data for rich search results.

Use Tool →

📄

Large Text File Viewer

183 views

View and search large text files up to 200MB in your browser. Features virtual scrolling, line numbers, search functionality, and file statistics. Perfect for log files, CSV, JSON, and code files.

Use Tool →

🔑

API Key Generator

172 views

Generate secure, cryptographically random API keys for authentication and authorization. Create custom API keys with various formats including hex, base64, and prefixed keys.

Use Tool →

Related API & Backend Tools

🔑

JWT Token Validator

Decode and validate JWT tokens instantly in your browser. Inspect header and payload claims, check expiry, and verify HMAC signatures (HS256/HS384/HS512). Free and private.

Use Tool →

✍️

JWT Encoder & Signer

Construct and sign JWT tokens locally in your browser. Edit header and payload JSON, choose HS256/HS384/HS512, enter a secret, and generate a signed token instantly. Nothing is uploaded.

Use Tool →

🔌

API Tester

Test HTTP API endpoints directly in your browser. Make GET, POST, PUT, PATCH, and DELETE requests with custom headers and request bodies. View status codes, response headers, and pretty-printed JSON responses — all client-side, no server proxy.

Use Tool →

🪝

Webhook Validator

Validate and inspect webhook payloads in your browser. Auto-detects GitHub, Stripe, Slack, and Shopify webhooks, extracts event details, and optionally verifies HMAC signatures. Free and private.

Use Tool →

🔓

JWT Decoder

Decode JWT (JSON Web Token) headers and payloads locally in your browser. View claims, algorithm info, and signature without sending data to any server.

Use Tool →

Share Your Feedback

Help us improve this tool by sharing your experience