How do I decode an OAuth 2.0 JWT token?

Paste the JWT into the decoder. The tool splits it into header, payload and signature, then displays all claims with descriptions. OAuth-specific claims like scope, azp, and jti are highlighted automatically.

Flowfiles ← JWT Decoder

JWT OAuth 2.0 Token Decoder

Q: What is an OAuth 2.0 JWT access token?

An OAuth 2.0 access token in JWT format is a signed Base64URL token issued by an authorization server. It contains claims like sub (user ID), iss (issuer), aud (audience), scope (granted permissions), and exp (expiration time).

Q: What is the difference between an access token and an ID token?

An access token grants access to resources. An ID token (OIDC) contains user identity claims (name, email, profile). Both can be JWTs. ID tokens always target the client (aud = client_id), while access tokens target the resource server.

Q: How do I verify an OAuth 2.0 JWT signature?

Open Advanced Options. For HS256 enter the shared secret. For RS256/RS512 enter the RSA public key in PEM format (get it from the authorization server's JWKS endpoint). The tool uses SubtleCrypto for local verification.

Decode OAuth 2.0 access tokens and OpenID Connect ID tokens — sub · iss · aud · scope · azp · exp — 100% local

Paste any OAuth 2.0 JWT access token or OIDC ID token to read all its claims. Understand permissions (scope), identify the issuer (iss), check expiration (exp), and optionally verify the signature with an HMAC secret or RSA public key PEM.

Analyze your OAuth 2.0 access token

Open the JWT Decoder →

OAuth 2.0 JWT claims explained

OAuth 2.0 and OpenID Connect tokens share a standard set of JWT claims:

sub — subject identifier (user ID or client ID)
iss — issuer URI (authorization server URL)
aud — audience (resource server or client_id)
scope — space-separated list of granted permissions
azp — authorized party (the client that requested the token)
iat — issued at timestamp
exp — expiration timestamp
jti — unique token ID (for revocation)

Frequently asked questions

What is an OAuth 2.0 JWT access token?

An OAuth 2.0 access token in JWT format is a signed token issued by an authorization server that grants access to a resource. It contains claims like sub, iss, aud, scope, and exp. Resource servers validate it locally without calling the authorization server.

What is the difference between an access token and an ID token?

An access token grants access to resources (APIs). An ID token (OpenID Connect) contains user identity claims like email, name, and profile. ID tokens are always intended for the client (aud = client_id), while access tokens target the resource server.

How do I verify an OAuth 2.0 JWT signature?

Open Advanced Options in the decoder. For HS256 tokens enter the client secret. For RS256/RS512 tokens, download the public key from the authorization server's JWKS endpoint, convert it to PEM, and paste it into the RSA/EC key field.

Is it safe to paste an OAuth token here?

The decoder runs entirely in your browser using vanilla JavaScript. No data is sent to any server. Treat short-lived access tokens as you would any sensitive value — do not paste production tokens in shared environments.

Related tools

Full JWT Decoder Decode a JWT Verify JWT Signature JWT Expiration Base64 Encoder UUID Generator