OAuth Flow Debugger

Decode and audit an OAuth 2.0 / OIDC URL

Paste any OAuth authorization URL, callback URL, or token-response URL. The tool identifies the flow, decodes the parameters, and flags suspicious or missing values. Useful when integration is failing and the docs aren't telling you which parameter is wrong.

Flow detected

URL components

ComponentValueNotes

Parameters

ParameterValueNotes

Audit

    What this decodes

    OAuth 2.0 authorization endpoints, token endpoints, callback URLs (both code-in-query and token-in-fragment), and OpenID Connect discovery URLs.

    What it flags

    Insecure redirect URIs, missing state, plain code_challenge, oversized scopes, fragments containing tokens that shouldn't be there, leaked tokens in query strings.

    What this isn't

    Not a token verifier (use jwt-inspector for that). Not a security audit tool — it catches common mistakes, not novel attacks.