OAuth Bearer Diagnostic
Inspect auth headers and token data in your browser. No input is sent to a server. Use it for first-pass checks on expiry, claims, and schemes.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste request/response headers and click Diagnose. Check mismatches between Bearer requests and WWW-Authenticate responses.
Notes (this tool)
- Handling of 401/403 varies by API spec. Do not conclude from status codes alone.
- Expired tokens, scope issues, and audience mismatches can look similar; check issuer settings too.
About this page
What does this tool do?
Checks Authorization: Bearer and WWW-Authenticate together to isolate 401-related issues.
Useful when requests include a token but still fail; it quickly detects basic header mismatches.
Recommendations (practical)
- Always use Authorization: Bearer
- Return WWW-Authenticate: Bearer on 401
- Include scope/error when possible
Notes
- This tool is header-focused; it does not validate expiry, signatures, or authorization logic.
- Missing challenge on 401 can make client re-auth flows unreliable.
- Schemes other than Bearer (Basic/DPoP, etc.) are out of scope.
Debugging workflow (recommended)
- Paste tokens or authentication headers
- Check claims, auth scheme, and expiration
- Verify signature, scopes, and issuer with related tools
Referenced specs
- RFC 6750 (OAuth 2.0 Bearer Token Usage)
- RFC 9110 (HTTP Semantics: Authentication)
FAQ
What should be returned on 401 for stable clients?
Returning WWW-Authenticate: Bearer with error details helps clients branch re-auth flows reliably.
What are common Authorization header mistakes?
Typical mistakes are missing Bearer prefix, extra whitespace, and newline contamination around token values.
References
Related tools
- Authorization Inspect
- WWW-Authenticate Inspect
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
- Authorization Inspect — Parse Authorization header formats
- WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
- JWT Decoder — Decode and pretty-print JWT header/payload
- JWT Verifier — Verify JWT signatures (HS/RS/ES)
- JWT Claim Audit — Audit missing required/recommended JWT claims
- JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
- JWT Clock Skew Check — Detect timestamp skew across iat/nbf/exp
Same-theme links
Auth
Trace auth failures across Bearer, WWW-Authenticate, and JWT
- JWT 401/403 Troubleshooting — Troubleshoot 401/403 auth failures from headers and JWT claims
- JWT Claim Audit — Audit missing required/recommended JWT claims
- JWT TTL Check — Calculate validity window and remaining TTL from exp/iat/nbf
- JWT Clock Skew Check — Detect timestamp skew across iat/nbf/exp
- Authorization Inspect — Parse Authorization header formats
- WWW-Authenticate Inspect — Parse WWW-Authenticate challenges
- JWT Decoder — Decode and pretty-print JWT header/payload
- JWT Verifier — Verify JWT signatures (HS/RS/ES)