What's the difference between an access token and a refresh token?

Access tokens are short-lived (minutes to hours) and sent with every API request. Refresh tokens are long-lived (days to months) and used only to obtain new access tokens when they expire.

Can it parse opaque tokens?

Opaque tokens have no parseable structure — they're just random strings. The tool can analyze JWT-structured OAuth tokens (signed JWTs) but cannot decode truly opaque tokens without calling the introspection endpoint.

What's PKCE and when do I need it?

PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks for public clients (SPAs, mobile apps) that cannot keep a client secret. It's required for all public OAuth clients per current best practice.

DevTools Surf

OAuth Tokenizer

This tool is not yet implemented.

About OAuth Tokenizer

OAuth Tokenizer preview - Security / Crypto tool

Parse and validate OAuth tokens with claims extraction and expiration analysis. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

Inspect and validate an OAuth access token or refresh token received from an authorization server.
Debug scope mismatches by parsing the scope claim before making an API call.
Verify token expiry and calculate time remaining before proactive refresh is needed.
Extract and inspect claims from an OpenID Connect ID token (JWT-based OAuth token).

Tips

Check the token_type field — 'Bearer' means the token is valid for any holder; 'DPoP' (Demonstration of Proof of Possession) means the token is bound to the caller's key.
Verify the scope claim to confirm that the token has the required permissions before attempting the API call — missing scopes produce 403 errors, not 401.
Parse the exp claim and compare against the current time before each API request to avoid using expired tokens — implement proactive refresh rather than handling 401s.

Fun Facts

OAuth 1.0 (2010) required complex HMAC request signing for every API call. OAuth 2.0 (2012) replaced this with Bearer tokens — much simpler but criticized for moving security responsibility to implementers rather than the protocol.
The OAuth 2.0 Authorization Code with PKCE (Proof Key for Code Exchange) flow, originally specified for mobile apps in RFC 7636 (2015), is now recommended for all OAuth clients including SPAs, replacing the implicit flow which was deprecated in 2019.
OAuth's name comes from 'Open Authorization' — the original design goal was to allow users to grant third-party apps access to their data without sharing passwords, a problem Twitter's API faced in 2006-2007.

FAQ

What's the difference between an access token and a refresh token?: Access tokens are short-lived (minutes to hours) and sent with every API request. Refresh tokens are long-lived (days to months) and used only to obtain new access tokens when they expire.
Can it parse opaque tokens?: Opaque tokens have no parseable structure — they're just random strings. The tool can analyze JWT-structured OAuth tokens (signed JWTs) but cannot decode truly opaque tokens without calling the introspection endpoint.
What's PKCE and when do I need it?: PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks for public clients (SPAs, mobile apps) that cannot keep a client secret. It's required for all public OAuth clients per current best practice.

Related Security / Crypto Tools

Hash Generator v2 HMAC Generator v2 JWT Encoder Bcrypt Hash Tester HMAC Generator Password Strength Analyzer TOTP / 2FA Generator SAML Response Decoder

DevTools Surf