Skip to content

shashi-singhnl/token-visualizer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

🔐 Token Visualizer — OBO & XAA / ID-JAG

Decode, inspect, and verify OAuth 2.0 delegation chains — no install, no server, runs locally as a desktop app.

Platform License Standards Okta


What it does

Paste your real tokens. See every claim decoded, highlighted, and verified — without sending anything to a server.

Mode What it verifies
OBO (On-Behalf-Of) sub preservation · client_id actor · downstream scopes — RFC 8693
XAA / ID-JAG ID Token → ID-JAG → Access Token chain · iss/aud alignment · TTL ≤ 10 min · typ claim

Screenshots

(Add your screenshots to /screenshots folder and they appear here)


Features

  • OBO flow — paste User token + OBO token, get chain proof with sub preservation check
  • XAA / ID-JAG flow — 4-tab inspector: ID Token · ID-JAG · Access Token · Chain Proof
  • 6 automated chain checks — sub match, issuer match, delegation handoff, typ claim, TTL, scope consistency
  • Dark mode — automatic via prefers-color-scheme
  • Zero network calls — all decoding is atob() + JSON.parse() in your browser
  • Desktop app experience — opens in Edge/Chrome --app mode (no address bar, no tabs)
  • Single file — one .vbs double-click, no dependencies, no install

How to use

Quickest start (zero warning, recommended)

  1. Download TokenVisualizer.zip
  2. Right-click the ZIP → Properties → tick Unblock → Apply
  3. Extract → double-click TokenVisualizer.vbs

Direct VBS

  1. Download TokenVisualizer.vbs
  2. Double-click → click Open on the one-time warning
  3. The file self-unblocks — no warning on any future run

Supported token formats

Token Source Claims inspected
User access token Okta PKCE login sub, scp, cid, uid
OBO token RFC 8693 token exchange sub, client_id, scope, uid
OIDC ID Token Any OIDC provider sub, iss, aud
ID-JAG xaa.dev / Okta XAA sub, iss, aud, typ, scope, TTL
XAA Access Token Resource auth server iss, aud, sub, scope, app_org

Accepts raw JWT strings (eyJ...) and JSON objects {...}.


Standards implemented

Standard Used for
RFC 8693 OAuth 2.0 Token Exchange (OBO + XAA step 2)
RFC 7523 JWT Bearer Grant (XAA step 3)
RFC 6750 Bearer Token Usage
ID-JAG draft Identity Assertion Authorization Grant
OIDC Core ID Token structure

Privacy

  • All token decoding happens locally in your browser
  • No tokens are sent to any server — ever
  • The VBS writes a static HTML file to %APPDATA% and opens it in Edge/Chrome app mode
  • Works completely offline after download

Author

Shashi Singh


License

MIT — free to use, modify, and distribute with attribution.


Related tools & standards