Skip to content
Insights
Request Services
OIDC
Tool · client-side · PKCE-first

OIDC Debugger — without tokens leaving your browser.

Discovery-first, PKCE-first OpenID Connect flow debugger. Paste an issuer URL, start an Authorization Code + PKCE flow, and inspect the discovery document, token response, and ID Token with full JWKS signature verification. Everything client-side — tokens never leave your browser.

Register this redirect URI with your IdP

(determined at runtime)

How to use it

Three steps.

  1. 01

    Register the callback URL with your IdP

    Add the redirect URI shown above as an allowed callback for a public client in your IdP. The client must allow Authorization Code + PKCE.

  2. 02

    Fetch discovery

    Paste the issuer URL (e.g. https://your-tenant.okta.com or your Entra tenant URL). The tool fetches /.well-known/openid-configuration and validates it against OIDC Core requirements.

  3. 03

    Start the flow

    Click Start. You'll be redirected to your IdP, authenticate, and come back. The tool exchanges the code for tokens client-side, then validates the ID Token signature against the IdP's JWKS — no token ever touches our server.

What this checks for

Beyond “decode the JWT”.

  • Discovery document conformance

    Checks that required endpoints (authorize, token, JWKS) are present, that Authorization Code is supported, that PKCE S256 is advertised, and that no unsafe signing algorithm (alg=none, HS-only) is offered.

  • PKCE-only flow

    Only Authorization Code + PKCE (S256). Implicit Flow and ROPC are not supported — those are removed by OAuth 2.1 and pose a security risk we won't pretend is OK to debug.

  • JWKS signature verification

    Fetches the IdP's JWKS, finds the key matching the ID Token's kid, and verifies the signature using WebCrypto (RS256 / ES256 / PS256). A failed signature is highlighted prominently.

  • Standard claim validation

    Verifies iss matches discovery, aud includes the client_id, exp is in the future, and nonce matches the value sent in /authorize. Missing required claims (sub, iss, aud, exp, iat) are flagged.

  • No server-side token handling

    Everything from discovery fetch through token exchange runs in your browser. Tokens never transit our server. Open DevTools → Network and you can verify: requests fire only to your IdP, never to askmeidentity.com.

Need more

Decode a JWT directly. Visualize the OAuth flow.

JWT DecoderOAuth Flow VisualizerOpenID Connect explained

Identity, cybersecurity, and custom software for regulated enterprises. Audit-ready operations from advisory through audit.

Americas HQ

Wilmington, DE

America/New York

India HQ

Hyderabad, TG

Asia/Kolkata

Services
  • IAM Consulting
  • IAM Technologies
  • Custom Software & AI
  • IAM Staffing
  • Request Services
  • Case Studies
Resources
  • All Resources
  • Complete Guide to IAM
  • IAM Frameworks Compared
  • IAM Certification Roadmap
  • IAM API Hub
  • IAM Explainers
  • IAM Vendor Status
  • Release Notes
  • State of Identity
  • State of PAM
  • State of IGA
  • State of CIAM
  • State of AI Agent Identity
  • IAM Salary Benchmark
  • Vendor Pricing Index
  • Year in Review 2026
  • Acquisition Tracker
  • Outage Tracker
  • Identity Incidents
  • Vulnerability Tracker
  • Cheat Sheets
  • Standards Explainers
  • Migration Playbooks
  • Audit Checklists
  • Reference Architectures
  • RFP Templates
  • IAM Anti-Patterns
  • Compliance Crosswalk
  • Market Landscape
  • Awesome IAM
  • IAM Glossary
  • Compliance Frameworks
  • Integration Guides
  • Vendor Alternatives
  • IAM by Industry
  • Salary Lookup
  • Directory
Research & media
  • IAM Compensation 2026
  • Vendor Moves Q3 2026
  • Identity Incidents Q3 2026
  • Vendor Security Posture 2026
  • Vendor Pricing 2026
  • AI Citation Tracker
  • Top 50 IAM Tools 2026
  • Podcast
  • Videos
  • Newsletter
  • Newsletter Archive
  • Embed Widgets
Free tools
  • JWT Decoder
  • JWT Signer
  • SAML Decoder
  • SAML Metadata Diff
  • OAuth Flow Visualizer
  • OIDC Debugger
  • OIDC Discovery Validator
  • PKCE Generator
  • WebAuthn Tester
  • Bearer Token Inspector
  • SCIM Validator
  • Password Entropy
  • IAM RFP Template
  • PAM Vendor Selector
  • Maturity Assessment
  • ROI Calculator
  • TCO Calculator
  • MFA Bypass Risk
  • Audit-Prep Burden
  • Quizzes
Company
  • About
  • Leadership
  • Approach
  • Why Choose Us
  • Partners
  • Press Kit
  • Press Topics
  • Global Presence
  • Locations
  • Insights
  • Now
  • Community
  • Open Roles
  • Submit Resume
  • Training
  • Contact

© 2026 askmeidentity, Inc.. Safeguard your digital frontier.

  • Privacy Policy
  • Terms of Service
  • Accessibility