diff --git a/scripts/aws-oidc-setup.sh b/scripts/aws-oidc-setup.sh
index 1d7e2c1..0ddc69c 100755
--- a/scripts/aws-oidc-setup.sh
+++ b/scripts/aws-oidc-setup.sh
@@ -53,6 +53,17 @@ echo "Session Name  : $SESSION_NAME"
 echo "Token file    : $AWS_WEB_IDENTITY_TOKEN_FILE"
 echo "Obteniendo credenciales temporales via STS..."
 
+echo "=== Decoding OIDC Token ==="
+python3 -c "
+import json, base64, sys
+t = open('${BITBUCKET_STEP_OIDC_TOKEN}').read().strip()
+payload = t.split('.')[1]
+padding = 4 - len(payload) % 4
+if padding != 4: payload += '=' * padding
+print(json.dumps(json.loads(base64.b64decode(payload)), indent=2))
+"
+echo "==========================="
+
 CREDS=$(aws sts assume-role-with-web-identity \
   --role-arn "$AWS_ROLE_ARN" \
   --role-session-name "$SESSION_NAME" \