Token Decoder

This site can be used to decode Identity tokens

SAML (/saml)

Add https://decoder.pingidentity.cloud/saml as the Assertion Consumer Service in a SAML SP Connection

OIDC AuthZ Code (/oidc)

Add https://decoder.pingidentity.cloud/oidc as a redirect_uri on your OIDC AuthZ Code client (response_type=code).

Enter in the Issuer, client_id, and client_secret and the received Code will be swapped for the access_token and id_token

OIDC Implicit (/implicit)

Add https://decoder.pingidentity.cloud/implicit as a redirect_uri on your OIDC Implicit client (response_type=token id_token).

OIDC Hybrid (/hybrid)

Add https://decoder.pingidentity.cloud/hybrid as a redirect_uri on your OIDC Hybrid client (response_type=code token id_token). Supports GET (Query Fragments) and POST (response_mode=form_post)

OIDC PKCE (/pkce)

This page will allow you to generate a PKCE request using a generated code_challenge and corresponding code_verifier.

A new tab will open with the Code presented on the /oidc page where you can pass in the code_verifier instead of a client_secret

OIDC Inspector (/oidcInspector)

End-to-end Authorization Code + PKCE flow in one place — provider-agnostic. Enter any OIDC Issuer URL and Client ID, and the tool discovers endpoints via /.well-known/openid-configuration, completes the PKCE redirect, and displays the decoded id_token, access_token, refresh_token and userinfo response in a tabbed view.

Add https://decoder.pingidentity.cloud/oidcInspector as a redirect URI on a public OIDC client (no client secret required).

OIDC URL Generator (/oidcGenerator)

This page will let you generate an OIDC URL for Authz Code, Implicit and client_credentials token requests.

OIDC Redirect (/oidcRedirect)

This endpoint will let you ask Decoder to redirect you to an OIDC application with an Implicit request.

Send in parameters for iss (Issuer), client_id, and [Optional] mode=code and your browser will be redirected to the OIDC provider

Note: scope=openid email profile is automatically added to the URI

PingFederate Agentless (/agentless/{{releaseName}})

Add https://decoder.pingidentity.cloud/agentless/{{Facile releaseName}} as the Authentication Endpoint on your Agentless IK adapter.

Note: Facile deployment is required

PingAccess Headers (/headers)

Create an Application pointing to https://decoder.pingidentity.cloud/headers with an Identity Mapping.

PingAccess JWT Header (/headersjwt)

Create an Application pointing to https://decoder.pingidentity.cloud/headersjwt with a JWT Identity Mapping - (default) name: X-PA-Headers.

PingOne Webhook Viewer (/webhooks)

Create a PingOne Webhook (PingOne JSON Format) pointing to https://decoder.pingidentity.cloud/webhooks.

Incoming events can be seen at https://decoder.pingidentity.cloud/webhooks/{{PingOne EnvId}}.