Don't like ads? Go Ad-Free Today

OAuth 2.0 Authorization URL Builder

DeveloperNetworkingSecurity
ADVERTISEMENT · REMOVE?
INPUT
Toggle Width Enter/Exit Fullscreen

Provider & Endpoint

Picking a preset fills the authorization endpoint and suggested scopes. Choose Custom for any other OAuth 2.0 / OpenID Connect server.
The provider's /authorize URL. Auto-filled for presets; edit freely (e.g. replace the Microsoft/Okta tenant or domain).

Request Parameters

The public client identifier issued by the provider. Safe to expose in the URL.
Must exactly match a redirect URI registered with the provider.
Use code (Authorization Code flow) for anything modern. Implicit (token / id_token) is legacy and discouraged.
Space-separated list of scopes. Presets suggest common values; edit as needed.

Security Parameters

S256 (SHA-256) is required by OAuth 2.1 and every modern provider. Use plain only for legacy testing.
Optional. One key=value pair per line. Added verbatim (URL-encoded) to the query string.
OUTPUT
Client Side
Toggle Width Enter/Exit Fullscreen
ADVERTISEMENT · REMOVE?

Related Tools

Some other tools similar to OAuth 2.0 Authorization URL Builder that you might find useful.

TLS/SSL Config Snippet Grader
DeveloperNetworking

CSR (Certificate Signing Request) Generator
DeveloperNetworking

Email Deliverability Checker
DeveloperNetworking

Guide

OAuth 2.0 Authorization URL Builder

OAuth 2.0 Authorization URL Builder

Assembling an OAuth 2.0 authorization request by hand is fiddly: every parameter has to be percent-encoded exactly, the PKCE code_challenge has to be a base64url-encoded SHA-256 hash of a random verifier, and the state and nonce values need to be unpredictable. Get one character wrong and the provider bounces you with an opaque error. This builder produces a correct, ready-to-use authorization URL from a few inputs — entirely in your browser, so secrets never leave the page.

How to Use

  1. Pick a provider preset (Google, GitHub, Microsoft, Okta) to auto-fill the authorization endpoint and suggested scopes, or choose Custom and paste your own endpoint.
  2. Enter your client_id and the redirect_uri registered with the provider.
  3. Choose a response type — code (with PKCE) is recommended for almost every modern app.
  4. Leave PKCE and state enabled, add a nonce if you request an ID token, and add any extra parameters such as access_type=offline.
  5. Click Build URL, then copy the generated authorization URL. If PKCE is on, also copy the code_verifier and keep it for the token exchange.

Features

  • Provider presets – Google, GitHub, Microsoft (Entra) and Okta endpoints and scopes are filled in for you, with a Custom option for any other server.
  • PKCE generation – creates a cryptographically random code_verifier and the matching S256 code_challenge using the Web Crypto API, per RFC 7636.
  • State and nonce – one-click generation of unpredictable CSRF and OpenID Connect replay-protection values.
  • Precise encoding – every parameter is percent-encoded to RFC 3986, with spaces rendered as %20.
  • Decoded breakdown – see each query parameter and its plain value so you can verify the URL at a glance.
  • Fully client-side – nothing is sent to a server; your client secrets and verifier stay in the browser.

FAQ

  1. What is the OAuth 2.0 authorization code flow?

    It is the recommended way for an app to obtain access on a user's behalf. The app redirects the user to the provider's authorization endpoint; after the user consents, the provider redirects back with a short-lived authorization code, which the app then exchanges at the token endpoint for access and refresh tokens. The code never exposes long-lived credentials in the browser or URL history.

  2. What is PKCE and why does it matter?

    PKCE (Proof Key for Code Exchange, RFC 7636) protects the authorization code flow against interception. The client generates a random code_verifier, sends a hashed code_challenge on the authorization request, then proves possession by sending the original verifier at token exchange. It is mandatory in OAuth 2.1 and essential for public clients such as single-page and mobile apps that cannot keep a client secret.

  3. What is the purpose of the state parameter?

    The state parameter is an opaque, unguessable value the client sends on the authorization request and verifies when the provider redirects back. Because it is tied to the user's session, it lets the client detect and reject forged callbacks, which is the standard defense against cross-site request forgery (CSRF) on the OAuth redirect.

  4. How does a nonce differ from state in OpenID Connect?

    A nonce is a random value sent on the authorization request and echoed back inside the ID token's claims, letting the client confirm the token was minted for this specific request and block token replay. State protects the redirect/authorization step against CSRF, while nonce protects the issued ID token — they solve different problems and are often used together.

Want To enjoy an ad-free experience? Go Ad-Free Today

Install Our Extensions

Add IO tools to your favorite browser for instant access and faster searching

Add to Chrome Extension Add to Edge Extension Add to Firefox Extension Add to Opera Extension

Scoreboard Has Arrived!

Scoreboard is a fun way to keep track of your games, all data is stored in your browser. More features are coming soon!

ADVERTISEMENT · REMOVE?

Must-Try Tools

View All
Background Remover
AI Image Editor
AI Image Generator
ImageKit
PDF Compressor
Image Converter
One Time Link
ADVERTISEMENT · REMOVE?

New Arrivals

View All
HAR to cURL Commands Extractor
SQL Parameterizer
Matrix Calculator (2×2 / 3×3)
ISO Week Number Calculator
Fibonacci Retracement Level Calculator
API Secret Scanner & Redactor
Kustomize kustomization.yaml Generator

Update: Our latest tool was added on Jun 25, 2026

ADVERTISEMENT · REMOVE?

News Corner w/ Tech Highlights

Get Involved

Help us continue providing valuable free tools

Buy me a coffee
ADVERTISEMENT · REMOVE?