Livesecurityshipped May 17, 2026v1.0.0

OAuth2 Token Inspector

Name: OAuth2 Token Inspector
Author: Eko

Understand and document OAuth2 implementations. Paste token responses, authorization URLs, or cURL commands to identify the grant type (authorization code, client credentials, PKCE, device flow). Visualizes the token lifecycle including access token expiry, refresh token rotation, and scope hierarchy.

oauth2tokenauthapiflow-visualization

paste OAuth URL, redirect, or token response

Authorization URL — Step 1: redirect user to authorize

Parameters

response_type

What's expected back: code, token, id_token

code

client_id

Public identifier of the app

YOUR_CLIENT_ID

redirect_uri

Where the auth server sends the user back

https://app.example.com/callback

scope

Permissions requested

openid profile email

state

CSRF protection token

xyz123

code_challenge

PKCE challenge

abc

code_challenge_method

S256 (recommended) or plain

S256

Security warnings

⚠ OIDC flow missing nonce — replay attack risk

🔒 Recognized stages: auth URL, redirect callback, token request/response. Never paste real production tokens.