Start with the workflow, not a pile of tools.
Validate discovery documents, launch a real browser flow, inspect the callback, exchange the code, and debug returned tokens in one public OAuth workbench.
Recommended Public Flow
Start hereThe shortest path to a useful protocol answer is to follow the flow from top to bottom.
1. Start with discovery
OpenID Configuration Validator
Validate issuer metadata first so endpoint issues are visible before you run a browser flow.
2. Launch the browser flow
Authorization Flow Tester
Run a real authorization request with PKCE and response mode controls instead of relying on static checks alone.
3. Inspect the callback
Authorization Callback Catcher
Capture the returned query, fragment, or form-post response and confirm the flow came back as expected.
4. Exchange the code
Token Endpoint Tester
Probe token endpoint behavior, OAuth error semantics, content types, cache headers, and CORS responses.
5. Inspect the result
Token Debugger
Decode returned tokens, verify signatures, inspect claims, and confirm what the client actually received.
Guided Workflow
Follow the protocol chain in order.
oauth2.dev is strongest when it behaves like one public debugging workflow rather than a loose collection of utilities.
1. Start with discovery
OpenID Configuration Validator
Validate issuer metadata first so endpoint issues are visible before you run a browser flow.
2. Launch the browser flow
Authorization Flow Tester
Run a real authorization request with PKCE and response mode controls instead of relying on static checks alone.
3. Inspect the callback
Authorization Callback Catcher
Capture the returned query, fragment, or form-post response and confirm the flow came back as expected.
4. Exchange the code
Token Endpoint Tester
Probe token endpoint behavior, OAuth error semantics, content types, cache headers, and CORS responses.
Supporting Validators
Check the surrounding surfaces without leaving the flow.
Once discovery, authorize, callback, token exchange, and token inspection are in place, use the adjacent validators to confirm the rest of the provider surface.
Expand the public checks when the core flow is working.
Once discovery, authorize, callback, token exchange, and token inspection are stable, use the surrounding public tools to widen your coverage.
Validate adjacent endpoints
Check JWKS and UserInfo behavior after the main OAuth path is behaving so the rest of the provider surface is covered too.
Generate and convert test material
Create JWTs, generate keypairs, convert formats, and inspect standards references without leaving the public toolset.
Utilities And References
Keep the supporting protocol work close at hand.
Generators, converters, and spec search still matter. They just sit below the main debugging workflow instead of competing with it.
JWT Generator
Generate signed JWTs for test environments, debugging sessions, and interoperability checks across common algorithms.
Keypair Generator
Generate RSA and EC key pairs in the browser and export them as JWK, PEM, SPKI, and PKCS8 for testing and interoperability work.
Key Format Converter
Convert cryptographic keys between PEM, JWK, PKCS8, and related formats without leaving the browser.
String Encoder / Decoder
Convert between plain text, Base64, and URL-encoded forms when working through protocol payloads and encoded parameters.
RFC Search
Search across OAuth 2.0 and OpenID Connect specifications and jump directly to the relevant sections.
Why oauth2.dev
Clearer than scattered tools, deeper than a single validator.
A workflow, not a tool dump
Move through discovery, authorize, callback, token exchange, and token inspection in one public debugging path instead of stitching together unrelated utilities.
Built around real protocol behavior
The strongest surfaces exercise real browser redirects, endpoint semantics, returned parameters, and token contents instead of stopping at static JSON checks.
Supporting tools stay close
JWKS, UserInfo, generators, key conversion, and spec search remain available, but they support the main debugging flow instead of competing with it.