About OAuth PKCE Generator

Generate PKCE parameters with S256/plain support, state, and nonce. Includes OAuth flow examples. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

• Generating PKCE parameters for single-page application OAuth flows
• Testing OAuth authorization code flow with PKCE in development
• Creating code challenge pairs for mobile app authentication
• Debugging PKCE verification failures in OAuth server logs

Tips

• Generate a fresh code_verifier and code_challenge pair per flow
• Use S256 challenge method instead of plain for security
• Copy the state parameter to prevent cross-site request forgery

Fun Facts

• PKCE (RFC 7636) was published in September 2015 and was originally designed to protect mobile apps from authorization code interception.
• The acronym PKCE is pronounced 'pixy' and stands for Proof Key for Code Exchange.
• OAuth 2.1 (draft) mandates PKCE for all OAuth clients, not just mobile apps, making it a universal security requirement.

FAQ

What is PKCE?

Proof Key for Code Exchange — an OAuth 2.0 extension that prevents authorization code interception attacks. Required for mobile apps and SPAs.

What does the tool generate?

code_verifier (random 43-128 char string), code_challenge (SHA-256 of the verifier, base64-url-encoded), and state (CSRF protection token).

Where do these go?

code_challenge on the /authorize request; code_verifier on the /token request. state is a round-trip parameter to prevent CSRF.

Why SHA-256 for the challenge?

The 'S256' method. There's also 'plain' (just use verifier as challenge) but it's not secure. Always use S256.