JWT Decoder for OAuth 2.0 Access Tokens
Quick Answer: OAuth 2.0 access tokens are often JWTs containing scope (permissions granted), client_id (requesting app), iss (authorization server), aud (resource server), and exp. Decode to debug scope and audience mismatches.
FAQ
Are all OAuth access tokens JWTs?
No. OAuth 2.0 does not mandate token format. Some providers use opaque tokens (random strings) validated via introspection endpoint. JWTs are self-contained and can be verified without calling the auth server.
What is the difference between scope and permissions?
Scope is what the OAuth client requested and the user consented to. Permissions are fine-grained access rights. A scope like "read:users" might map to specific permission checks in your API.