Encrypt Online
Theme
Privacy Tool inputs are processed in your browser and are not sent to us.

OIDC Discovery Inspector

Inspect pasted provider metadata and isolate issuer, endpoint, JWKS, algorithm, or PKCE mismatches

Paste metadata, not credentials: Use a copied discovery or authorization-server metadata document. This page does not fetch endpoints or JWKS, and input stays in this browser without being saved or added to the URL.
Inspect one pasted metadata documentSeparate required fields, documented defaults, advertised capabilities, extensions, and exact expectations
Samples use reserved example domains.
Auto selects OIDC only when OIDC-specific fields are present; otherwise it inspects the document as OAuth metadata.
Maximum input: 512 KiB. Duplicate top-level names are rejected, and unknown extensions remain visible.
Optional exact and capability checks Issuer, endpoints, JWKS, flow, algorithms, and PKCE

Expected issuer and endpoint comparisons are exact. Capability checks look for the entered value in the advertised list.

Inspect Issuer, Endpoints, and JWKS Metadata

Start with the exact issuer, authorization_endpoint, token_endpoint, and jwks_uri expected by the same tenant and environment. Then check response types, grants, signing algorithms, token endpoint authentication, and PKCE methods that matter to your client.

OIDC and OAuth Metadata Have Different Rules

OIDC provider configuration defines identity-specific fields such as subject types and ID token signing algorithms. OAuth authorization server metadata has its own required, conditional, and optional fields. Auto detection uses OIDC-specific members; choose a type explicitly when you want to inspect a sparse document under one rule set.

Read PKCE Advertising and Documented Defaults Carefully

Missing code_challenge_methods_supported means PKCE is not advertised by this document; it does not prove the server rejects PKCE. The inspector also distinguishes omitted fields with documented defaults from fields that are required for the selected metadata type.

OIDC Discovery Inspector FAQ
Does this page open the discovery URL?

No. Paste the JSON document itself. The inspector does not make requests to the issuer, endpoints, jwks_uri, or any other value found in the document.

Why can an issuer mismatch break verification?

Clients compare the configured issuer with metadata and token claims according to their protocol and library rules. A trailing slash, tenant path, case, or environment difference can therefore matter even when the URLs look related.

Does a clean inspection mean the provider is secure?

No. It means the pasted document produced no inspected mismatch or warning under the selected checks. Reachability, key contents, cryptographic verification, server behavior, and deployment policy remain separate.