Decode, inspect, and verify OAuth 2.0 delegation chains — no install, no server, runs locally as a desktop app.
Paste your real tokens. See every claim decoded, highlighted, and verified — without sending anything to a server.
| Mode | What it verifies |
|---|---|
| OBO (On-Behalf-Of) | sub preservation · client_id actor · downstream scopes — RFC 8693 |
| XAA / ID-JAG | ID Token → ID-JAG → Access Token chain · iss/aud alignment · TTL ≤ 10 min · typ claim |
(Add your screenshots to
/screenshotsfolder and they appear here)
- OBO flow — paste User token + OBO token, get chain proof with
subpreservation check - XAA / ID-JAG flow — 4-tab inspector: ID Token · ID-JAG · Access Token · Chain Proof
- 6 automated chain checks — sub match, issuer match, delegation handoff, typ claim, TTL, scope consistency
- Dark mode — automatic via
prefers-color-scheme - Zero network calls — all decoding is
atob()+JSON.parse()in your browser - Desktop app experience — opens in Edge/Chrome
--appmode (no address bar, no tabs) - Single file — one
.vbsdouble-click, no dependencies, no install
- Download
TokenVisualizer.zip - Right-click the ZIP → Properties → tick Unblock → Apply
- Extract → double-click
TokenVisualizer.vbs
- Download
TokenVisualizer.vbs - Double-click → click Open on the one-time warning
- The file self-unblocks — no warning on any future run
| Token | Source | Claims inspected |
|---|---|---|
| User access token | Okta PKCE login | sub, scp, cid, uid |
| OBO token | RFC 8693 token exchange | sub, client_id, scope, uid |
| OIDC ID Token | Any OIDC provider | sub, iss, aud |
| ID-JAG | xaa.dev / Okta XAA | sub, iss, aud, typ, scope, TTL |
| XAA Access Token | Resource auth server | iss, aud, sub, scope, app_org |
Accepts raw JWT strings (eyJ...) and JSON objects {...}.
| Standard | Used for |
|---|---|
| RFC 8693 | OAuth 2.0 Token Exchange (OBO + XAA step 2) |
| RFC 7523 | JWT Bearer Grant (XAA step 3) |
| RFC 6750 | Bearer Token Usage |
| ID-JAG draft | Identity Assertion Authorization Grant |
| OIDC Core | ID Token structure |
- All token decoding happens locally in your browser
- No tokens are sent to any server — ever
- The VBS writes a static HTML file to
%APPDATA%and opens it in Edge/Chrome app mode - Works completely offline after download
Shashi Singh
MIT — free to use, modify, and distribute with attribution.
- xaa.dev — XAA/ID-JAG playground
- jwt.io — JWT decoder (online, sends tokens to server)
- Okta Cross-App Access docs
- ID-JAG IETF draft