OAuth2 Playground

Encoded Token

Token map

Paste a token above.

Click a segment to highlight its decoded panel.

Signature not verified

Algorithm: —

Secret (HS*) or PEM public key (RS*/ES*)

Header

—

Payload

—

Build Token

Algorithm

Header (JSON)

Payload (JSON)

Secret (HMAC)

Encoded Token

Token will appear here…

Preview

Header

—

Payload

—

Encoded Token

Token map

Paste an SD-JWT above.

Click a segment to highlight its decoded panel or disclosure row.

Raw JWT Payload

—

Disclosures 0

—

Revealed Claims

—

Claims Builder

Issuer

Subject

Claims ✓ = selectively disclosed

SD Name Value

HMAC Secret

SD-JWT Output

PKCE Parameters

code_verifier (43–128 chars, unreserved URL chars)

—

code_challenge = BASE64URL(SHA256(code_verifier))

—

code_challenge_method

S256

state (random opaque, echo back in callback)

—

nonce (OpenID Connect ID token replay prevention)

—

PKCE — How it works

RFC 7636 prevents authorization code interception. The client proves it initiated the flow without a static secret.

1

Generate code_verifier — 43–128 URL-safe random chars

2

Hash it: code_challenge = BASE64URL(SHA-256(verifier))

3

Send code_challenge + S256 in the authorization request

4

At token exchange send the raw code_verifier — the server re-hashes and compares

Configuration

Authorization Endpoint

Token Endpoint

Client ID

Redirect URI

Scope

1Authorization Request

Configure the endpoint and click "Generate PKCE + Build URL".

Redirect the browser here. The AS authenticates the user and returns ?code=…&state=… to your redirect URI.

2Callback

Authorization Code (from callback query string)

Verify the state parameter matches what you sent to prevent CSRF.

3Token Request

Complete steps 1–2 first.

POST this body (application/x-www-form-urlencoded) to the token endpoint. The server verifies SHA-256(code_verifier) == code_challenge.