Network

OAuth 2.0 Flow Builder

Build OAuth 2.0 authorization URLs and understand each flow. Supports Authorization Code , Client Credentials , Device Code , and Implicit grant types. Also decodes JWT access tokens.

Grant Type

Client ID

Redirect URI

Scope

State (CSRF protection)

Code Challenge (PKCE)

Authorization Endpoint (optional)

Token Endpoint (optional)

Security tip: Add PKCE (code_challenge + code_verifier) to prevent authorization code interception attacks.

Security tip: Add a random state parameter to prevent CSRF attacks.

Authorization URL

https://authorization-server.example.com/authorize?response_type=code

Flow Steps

1. Client redirects user to Authorization Server (see Authorization URL above)

2. User authenticates and grants consent

3. Authorization Server redirects back to redirect_uri with ?code=AUTH_CODE

4. Client verifies state parameter (CSRF protection)

5. Client exchanges auth code for tokens at token endpoint (see cURL below)

6. Authorization Server returns access_token, token_type, expires_in, and optionally refresh_token

7. Client uses access_token in Authorization: Bearer <token> header

8. When access_token expires, client uses refresh_token to get a new one

Token Request (cURL)

curl -X POST "https://authorization-server.example.com/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=AUTH_CODE_FROM_REDIRECT" \
  -d "redirect_uri=https://your-app.example.com/callback" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET"