drop oidc id_token + userinfo · parse claims + acr + auth_time · timeline + findings export · runs locally
parses iss sub aud exp iat auth_time acr amr nonce at_hash · flags expired exp · aud mismatch · auth_time drift · missing acr for step-up hints
jwt decode only — no signature verify against live jwks · heuristic screener · not definitive proof