Processing...
Configuration
Endpoints
Client Credentials
Redirect URI

💡 User-delegated authorization: Obtain user consent for requested scopes and receive an access token that acts on their behalf with limited permissions.

Method A: Authorize with PKCE
Recommended

PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks. Mandated by OAuth 2.1.

Verifier
Authorization Code Received!
Method B: Legacy Authorization

Traditional flow without PKCE. Less secure and deprecated in modern implementations.

Authorization Code Received!

💡 Perfect for input-constrained devices: Smart TVs, IoT devices, CLI tools - anything where typing credentials is painful. User authenticates on their phone/computer while the device polls for completion.

Device Flow not configured. Please provide Device Auth URL in the configuration sidebar to use this flow.
👉 Complete authorization on another device:
Verification URL:
Enter this code:

💡 Silent renewal: Get new access tokens without user interaction.

Refresh Session
You need a refresh token to use this flow.
Security Note: Refresh tokens are high-value. Most providers implement One-Time Use (rotation) by default. Each refresh will invalidate the old refresh token and issue a new one.

💡 Service-to-service authentication: No users involved - your backend service is both client and resource owner. Tokens represent the app's identity, not a user's. ⚠️ Never use in frontend code (exposes secret). No refresh tokens issued - just request new ones when expired.

Method A: Use Client Secret
Requires Client Secret in Configuration.
Method B: Client Assertion (Asymmetric)
Recommended (if supported)

Replaces shared secrets with public-key cryptography. Your private key and client secret never transmit through the network.

Security Note: Assertions must be very short-lived (typically < 5 minutes) and should include a unique jti to prevent replay attacks.
Send Authorized Requests
Active Session
Response Log

Ready...