OAuth PKCE Verifier & Challenge

Generate an OAuth 2.0 code_verifier and derive its S256 code_challenge, or paste your own and check it against RFC 7636's length and charset rules. The same SHA-256 base64url derivation your authorization server expects. Runs entirely in your browser.

Code verifier

Generation and derivation run locally. Your verifier never leaves your browser.

How PKCE works

App / ClientAuthorization server

References

RFC 7636 - Proof Key for Code Exchange (PKCE)
RFC 6749 - The OAuth 2.0 Authorization Framework
RFC 9700 - Best Current Practice for OAuth 2.0 Security