Question 1

What types of OAuth access tokens exist?

Accepted Answer

OAuth 2.0 access tokens come in two forms: JWT (JSON Web Token) — self-contained tokens that encode claims and can be verified without a database lookup; and opaque tokens — random strings that require a token introspection endpoint (RFC 7662) to look up claims. This tool decodes JWTs client-side and shows metadata for both types.

Question 2

What is token introspection?

Accepted Answer

Token introspection (RFC 7662) is the process of calling the authorization server's /introspect endpoint with an opaque token to get its metadata (scope, expiry, subject, etc.). Resource servers use introspection to validate opaque tokens.

Question 3

What is the 'scope' claim?

Accepted Answer

The scope claim lists what permissions the token grants. For example: 'read:users write:posts' means the token can read users and write posts. Your API should verify that the token has the required scope before fulfilling the request.

Question 4

What is the difference between access tokens and ID tokens?

Accepted Answer

Access tokens are credentials for accessing APIs — they are meant for resource servers. ID tokens (OIDC) are credentials for verifying user identity — they are meant for client applications. Access tokens should be opaque to clients; ID tokens should be read by clients.

Question 5

What is the 'aud' claim?

Accepted Answer

The audience (aud) claim identifies the intended recipient(s) of the token — typically the API or resource server URL. Your API MUST verify that its identifier is in the aud claim. Accepting tokens not intended for your API is a security vulnerability.

Question 6

How do I inspect an OAuth access token?

Accepted Answer

Paste your OAuth access token above. If it's a JWT (starts with eyJ), the inspector decodes the Base64URL payload to display scopes, expiry, client ID, and any custom claims. Opaque tokens (random strings) can't be decoded — they're only readable by the authorization server. For ID tokens, use DevDecode's OIDC Debugger.

Question 7

What information is in an OAuth access token?

Accepted Answer

JWT access tokens contain: the issuer (iss), subject/user ID (sub), audience/client (aud), issued-at time (iat), expiry (exp), and granted scopes. Some identity providers include email, roles, and custom claims. Access tokens authorize specific API operations — inspect them to troubleshoot scope and permission issues.

OAuth Token Inspector — Free Online OAuth Access Token Decoder

Frequently Asked Questions

Understanding OAuth 2.0 Access Tokens

Related Tools

JWT Decoder

JWT Debugger

OIDC Debugger

PKCE Generator