Is your OIDC ID token well-formed — and not being misused?

Paste an ID token for an instant, spec-cited semantic lint against OpenID Connect Core, RFC 7519 and RFC 8725: alg, iss/aud/sub/exp, the multi-audience azp rule, at_hash/c_hash binding, and the classic “ID token used as an access token” mistake.

Analyzed in your browser, never uploaded. An ID token carries identity claims (PII). It is decoded and linted entirely client-side; findings reference claim names and structure only, never their values. We do not verify the signature (no key set is provided). A saved permalink stores the derived findings only — never the token.

Load example: