OAuth 2.0 PKCE Generator
Network
PKCE (Proof Key for Code Exchange, RFC 7636) is the modern OAuth 2.0 flow recommended for ALL public clients — single-page apps, mobile apps, and desktop apps that can't keep a client_secret safe. This tool generates a cryptographically random `code_verifier` (43-128 chars from the unreserved URI alphabet), derives the `code_challenge` (SHA-256 base64url-encoded for S256, or the verifier itself for `plain`), and builds the full authorization URL with `state` for CSRF protection. The companion `curl` example shows the token exchange step, with all parameters filled in — just paste in the `code` from the callback redirect.
How to use
- Set verifier length (64 is a good default — between 43 minimum and 128 maximum).
- Pick S256 (always preferred) or plain (only for legacy servers).
- Fill in your `client_id`, `redirect_uri`, `scope`, and OAuth endpoints.
- Send the user to the authorization URL. After they're redirected back with `?code=...`, run the curl with that code to get tokens.
Frequently asked questions
- S256 vs plain — which should I use?
- Always S256. Plain just sends the verifier as the challenge, which gives no protection if an attacker intercepts the authorization request. S256 sends only SHA-256 of the verifier — the verifier itself never appears in step 1, making interception attacks much harder. RFC 7636 says clients should reject plain if S256 is available.
- Why these specific characters in the verifier?
- RFC 7636 specifies the verifier alphabet as `[A-Z][a-z][0-9]-._~` — the unreserved URI characters from RFC 3986. This makes the verifier safe to use anywhere (URLs, headers, form bodies) without escaping.
- What's `state` for?
- An opaque random string the client generates per-request and validates on callback. Prevents CSRF: if an attacker tricks your user into clicking a malicious authorization redirect, the `state` won't match what your app remembered and you reject the response. Always use it.
- Where does this run?
- Entirely in your browser. The verifier comes from `crypto.getRandomValues()` and the SHA-256 from `crypto.subtle.digest()` — both Web Crypto APIs. Nothing is sent anywhere.
Related tools
IP Address Inspector
Type an IPv4 or IPv6 address and see its class, scope (private / public / loopback / link-local), decimal value, binary, reverse-DNS notation, and /32 CIDR.
Port Number Reference
Searchable cheat sheet for ~60 standard TCP / UDP port numbers — from 22 (SSH) and 80 (HTTP) to 6379 (Redis) and 27017 (MongoDB).
DNS Record Reference
Searchable cheat sheet for DNS record types — A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSSEC, SVCB / HTTPS — with examples.
Subnet Calculator (IPv4 / CIDR)
Parse an IPv4 CIDR into network address, broadcast, netmask, wildcard, host range, and class. Shows binary breakdown and private/public status.
User Agent Parser
Parse a User-Agent string into browser, engine, OS, device, and CPU. Detects 20+ bots including GPTBot, ClaudeBot, PerplexityBot.
HTTP Status Code Reference
Searchable list of every HTTP status code (1xx-5xx) with summary, RFC, when to use, and common pitfalls.