OAuth 2.0 Playground
Build and test OAuth 2.0 authorization flows directly in your browser. Select a grant type, configure your provider settings, and generate properly formatted authorization URLs. Supports Authorization Code, PKCE, Client Credentials, and Device Code flows.
Quick Guide
- Select an OAuth 2.0 grant type
- Configure your provider endpoints and client settings (or use a preset)
- Click “Build Authorization URL” to generate the flow
- Copy the URL and test it in your browser
| Grant Type | Best For | User Interaction |
|---|---|---|
| Authorization Code | Server-side web apps | Yes |
| Auth Code + PKCE | SPAs, mobile apps, CLIs | Yes |
| Client Credentials | Machine-to-machine APIs | No |
| Device Code | Smart TVs, CLI tools | Yes (on separate device) |
Privacy & Security
This OAuth playground runs 100% in your browser. No data is sent to any server. URLs are generated locally using JavaScript. Safe for building test authorization URLs โ but never paste production client secrets into any online tool.
Authorization Code (+ PKCE): The most secure flow. The client redirects the user to the authorization server, which returns an authorization code. The client exchanges this code for tokens at the token endpoint. PKCE adds code_verifier/code_challenge for public clients.
Client Credentials: For machine-to-machine authentication with no user involvement. The client sends its credentials directly to the token endpoint and receives an access token.
Device Authorization: For devices with limited input (smart TVs, CLI tools). The device gets a user code and displays it; the user authenticates on a separate device (phone/laptop) by entering the code.
- PKCE Generator - Generate code_verifier and code_challenge for OAuth PKCE flow
- JWT Decoder - Decode and inspect OAuth access tokens and ID tokens
- OIDC Discovery Checker - Validate OpenID Connect discovery endpoints
- OAuth 2.0 Complete Developer Guide
- OAuth BFF Pattern for React SPAs
