Paste any OAuth authorization URL, callback URL, or token-response URL. The tool identifies the flow, decodes the parameters, and flags suspicious or missing values. Useful when integration is failing and the docs aren't telling you which parameter is wrong.
| Component | Value | Notes |
|---|
| Parameter | Value | Notes |
|---|
OAuth 2.0 authorization endpoints, token endpoints, callback URLs (both code-in-query and token-in-fragment), and OpenID Connect discovery URLs.
Insecure redirect URIs, missing state, plain code_challenge, oversized scopes, fragments containing tokens that shouldn't be there, leaked tokens in query strings.
Not a token verifier (use jwt-inspector for that). Not a security audit tool — it catches common mistakes, not novel attacks.