OAuth Bearer Diagnostic
Cross-check bearer auth headers and challenge responses in your browser to isolate authentication failures quickly. Your input stays on your device.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste request/response headers and click Diagnose. Check mismatches between Bearer requests and WWW-Authenticate responses.
Notes (this tool)
- Handling of 401/403 varies by API spec. Do not conclude from status codes alone.
- Expired tokens, scope issues, and audience mismatches can look similar; check issuer settings too.
About this page
What does this tool do?
Checks Authorization: Bearer and WWW-Authenticate together to isolate 401-related issues.
Useful when requests include a token but still fail; it quickly detects basic header mismatches.
Recommendations (practical)
- Always use Authorization: Bearer
- Return WWW-Authenticate: Bearer on 401
- Include scope/error when possible
Notes
- This tool is header-focused; it does not validate expiry, signatures, or authorization logic.
- Missing challenge on 401 can make client re-auth flows unreliable.
- Schemes other than Bearer (Basic/DPoP, etc.) are out of scope.
Debugging workflow (recommended)
- Paste tokens or authentication headers
- Check claims, auth scheme, and expiration
- Verify signature, scopes, and issuer with related tools
Referenced specs
- RFC 6750 (OAuth 2.0 Bearer Token Usage)
- RFC 9110 (HTTP Semantics: Authentication)
FAQ
What should be returned on 401 for stable clients?
Returning WWW-Authenticate: Bearer with error details helps clients branch re-auth flows reliably.
What are common Authorization header mistakes?
Typical mistakes are missing Bearer prefix, extra whitespace, and newline contamination around token values.
References
Related tools
- Authorization Inspect
- WWW-Authenticate Inspect
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
- Authorization Inspect — Parse Authorization header formats
- WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
- JWT Decoder — Decode and pretty-print JWT header/payload
- JWT Verifier — Verify JWT signatures (HS/RS/ES)
- JWT Claim Audit — Audit missing required/recommended JWT claims
- JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
- JWT Clock Skew Check — Detect timestamp skew across iat/nbf/exp
Same-theme links
Auth
Trace auth failures across Bearer, WWW-Authenticate, and JWT
- JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
- JWT Claim Audit — Audit missing required/recommended JWT claims
- JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
- JWT Clock Skew Check — Detect timestamp skew across iat/nbf/exp
- Authorization Inspect — Parse Authorization header formats
- WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
- JWT Decoder — Decode and pretty-print JWT header/payload
- JWT Verifier — Verify JWT signatures (HS/RS/ES)