Debug OAuth and OIDC flows faster.
Validate discovery documents, launch real browser flows, inspect callbacks, probe token endpoints, and debug returned tokens in one focused workbench.
A better default workflow
Real flow coverageStop stitching together five different sites just to answer one protocol question.
Hosted Mock IdPs are available when you need a controlled issuer for deeper testing, but the main experience is faster protocol debugging and validation.
Recommended Workflow
Follow the flow instead of guessing.
oauth2.dev is strongest when you use the tools as a chain: validate the provider, run the browser flow, inspect the callback, test the token exchange, then verify what the token actually contains.
1. Start with discovery
OpenID Configuration Validator
Fetch the issuer metadata, verify required fields, and surface endpoint issues before the browser flow starts.
2. Launch the browser flow
Authorization Flow Tester
Run a real authorization request with PKCE, response modes, and callback handling instead of relying on synthetic checks alone.
3. Exchange the code
Token Endpoint Tester
Probe token endpoint behavior, OAuth error semantics, content types, cache-control, and browser-facing CORS details.
Core Tools
Purpose-built for protocol work.
The newest surfaces are designed for real OAuth and OIDC flow debugging, not just isolated document checks.
Authorization Flow Tester
Discover authorization endpoints, launch the real browser flow, and inspect the callback returned to oauth2.dev.
Token Endpoint Tester
Probe token endpoints with form-encoded requests and inspect content type, OAuth error formatting, cache-control, and CORS behavior.
OpenID Configuration Validator
Validate an OpenID Connect discovery document from an issuer URL and surface configuration issues, missing claims, and endpoint problems.
JWKS Endpoint Validator
Fetch a JWKS document, validate key material, and check for common endpoint and key-shape problems before they hit production.
UserInfo Endpoint Validator
Check HTTPS, reachability, response semantics, and browser access behavior with optional bearer token probes.
Supporting Toolkit
Keep the rest of the protocol work close at hand.
Once the main flow is behaving, the surrounding utilities help you generate fixtures, inspect specs, and convert key material without leaving the site.
JWT Generator
Generate and sign JSON Web Tokens with various algorithms
Keypair Generator
Generate RSA and EC key pairs for OAuth 2.0 and OpenID Connect
Key Format Converter
Convert cryptographic keys between different formats (PEM, JWK, etc.)
String Encoder / Decoder
Encode and decode strings using various algorithms
RFC Search
Search through OAuth 2.0 and OpenID Connect RFCs
When you need a controlled issuer
oauth2.dev also includes hosted Mock IdPs for deeper test environments, but that is a supporting capability rather than the homepage headline.
Custom users and claims
Create mock users, attach custom claims, and see how your client behaves with realistic identity data.
Managed keys and JWKS
Generate or import signing keys, expose JWKS, and debug the issuer behavior alongside the validator tools.
Logs and replay
Review recent IdP requests and replay common authorization patterns from the dashboard debug console.
Why oauth2.dev
Clearer than scattered tools, deeper than a single mock issuer.
One place for the protocol lifecycle
Move from discovery to browser flow, callback inspection, token exchange, key validation, and token debugging without tab-hopping between unrelated tools.
Built for real OAuth behavior
The strongest tools are the ones that exercise actual browser redirects, endpoint semantics, and returned parameters instead of just checking static JSON.
Privacy-respecting by default
Some tools run fully in the browser. Others make server-side requests so oauth2.dev can fetch or validate remote endpoints. We collect lightweight operational metrics to keep the service working and improve it.
See the privacy policy for details on server-side validation, operational telemetry, and data handling.