Decode JWT (client-only)
Paste a JWT below. Header and payload are base64url-decoded in your browser. The signature is not verified here — use the next tab for that.
Header
Payload
Verify signature (WebCrypto + JWKS)
Fetches the public key set from jwks.rakomi.dev (transparency mirror) and verifies the signature using the browser's WebCrypto API. SDKs MUST use api.rakomi.com/.well-known/jwks.json; the mirror exists for auditors only.
Try OAuth Authorization Code + PKCE
Clicking the button kicks off a full RFC 6749 §4.1 flow against the sandbox tenant. PKCE (RFC 7636) code_verifier uses 256-bit entropy via crypto.getRandomValues; code_challenge_method=S256.
Demo credentials (publicly documented; fictional persona, GDPR Art.4(1) non-PII):
- Email:
- Password: see playground README
Result
OAuth response types — what's deprecated
This playground intentionally only exercises Authorization Code + PKCE. Other response types are listed below for context only.
- code (with PKCE) — recommended. Implemented here.
- token (Implicit) — deprecated (OAuth 2.1, IETF Draft). Do not use.
- id_token — OIDC; not exercised in this demo.
- code id_token — OIDC hybrid; not exercised.
Forward-look: OIDC Core 1.0 + EUDI Wallet (Reg 2024/1183, end-2026 mandate) integration tab will be added when SDK support lands.