Why model OIDC tokens explicitly?
OpenID Connect makes modern sign-in feel smooth, and it also creates a classic meeting problem: people say token for more than one object. A product might use an ID token for profile text on screen and an access token for API calls, and those are not interchangeable just because both can look like three-part JWTs. The pain is a launch or renewal review where legal, security, and product are in the same room, and the real question is which data is allowed where, not whether a test login worked on a phone. A debugger-style decode helps a program manager keep the room grounded. You can point to issuer, audience, and lifetimes, and you can name which token the UI reads versus which token the server validates. For marketers and operations leads, the win is fewer post go-live surprises, like a field that showed in a demo but never appears in the real token path. A free OIDC-style JWT view makes the invisible legible, with the same care you use for any secret. The benefit is a shared vocabulary, so the team moves from argument to a checklist: fix audience, fix scopes, fix redirects, align environments. If you are tired of five meanings of JWT in one hour, open the fields, name the object you are debugging, and change the right console setting, not a random app layer. That is calmer work for people and the calendar, and it is how cross-team launches feel planned, not improvised. Use the view, document what you found, and file a ticket with concrete field names, not a mood. Treat an OIDC JWT debugger as a briefing step, not a replacement for your full security process, and you get speed without chaos. When the story is clear, the day gets shorter, and leadership hears a plan instead of a fog bank. If customers are waiting, clarity is not a nice-to-have; it is the schedule itself.
How to debug OIDC-style JWTs
- Capture the token you actually use for the resource call and the one your SPA reads for user profile, separately if your flow keeps them distinct.
- Check aud, azp, and iss against your app registration, then look at scp or custom claims if your BFF pattern injects more roles.
- Reconcile session lifetime with refresh: often the product bug is experience, not crypto, even when people say “JWT is broken."