Developer Tools
OAuth Authorization URL Builder
Build OAuth 2.0 and OpenID Connect authorization URLs with PKCE in your browser. Provider presets for Google, Microsoft, GitHub, Auth0, Okta, and more.
Provider preset
Picking a provider fills the authorization endpoint and a default scope. You can still edit every field below.
Google requires HTTPS redirect URIs for web apps (localhost is allowed without https for development). Use access_type=offline plus prompt=consent to receive a refresh token on the first run.
Required parameters
From the provider docs, or the authorization_endpoint field of the OIDC discovery document.
Recommended for server-side apps and SPAs/mobile (with PKCE). Returns a one-time code that you exchange for tokens.
The public identifier the provider issued to your application.
Must match one of the redirect URIs registered in the provider dashboard. Custom schemes like myapp://callback are allowed.
Space-separated. Include openid for OpenID Connect.
Security parameters
Store this value in the user's session and verify it on the redirect back. Without state, a stolen code or token can be replayed.
Used by the ID token to bind the authentication request to the response. Required when response_type contains id_token.
PKCE (RFC 7636)
code_challenge_method
Save the verifier alongside the state on the client. Send it in the token-exchange request after the redirect.
Optional parameters
Controls whether the provider prompts the user. none tries silent SSO, login forces a fresh login, consent re-asks for permissions, select_account shows the account picker.
Pre-fills the username on the provider login page. Useful when you already know who is signing in.
Custom parameters
Add provider-specific extras here. Examples: access_type=offline, audience=, resource=, acr_values=.
Generated authorization URL
Pretty view (line-broken for readability)
https://accounts.google.com/o/oauth2/v2/auth ?response_type=code &client_id=my-client-id &redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback &scope=openid+email+profile &state=2M_zkkh4M4oi3Bp9B79AxQ &access_type=offline &include_granted_scopes=true
Warning: PKCE is enabled but the code_challenge is empty. Click Generate PKCE pair.
Warning: Custom parameter "prompt" is built in. The custom value was ignored; edit the dedicated field above.
OIDC detected: yes (scope contains openid)
Flow: Authorization Code
Includes code: yes
Includes id_token: no
Privacy: this builder runs entirely in your browser. PKCE pairs are generated with the Web Crypto API. No credentials, secrets, or URLs are sent anywhere.
How to use
- Pick a provider preset (Google, Microsoft, GitHub, Auth0, Okta, Discord, Spotify, and more) or choose Custom for any other identity provider.
- Fill in client_id and redirect_uri. Use a registered redirect URI from the provider dashboard; custom-scheme URIs like myapp://callback are accepted.
- Choose response_type: code (with PKCE) for SPAs and mobile, code for server-side apps, or id_token / hybrid for older OIDC flows.
- Edit the scope value or click the OIDC scope chips to toggle openid, profile, email, offline_access, and the others on or off.
- Leave PKCE on for any code flow. Click Generate new PKCE pair to refresh the verifier and challenge; copy the verifier and save it alongside the state to use in the token exchange.
- Add provider-specific parameters in the Custom parameters panel (Google access_type=offline, Auth0 audience, Microsoft domain_hint, GitHub allow_signup, and so on).
- Copy the generated URL or click Open in new tab to send the request. Switch to Parse mode and paste an existing URL to decompose it back into the builder fields.
About this tool
OAuth Authorization URL Builder constructs the redirect URL that starts an OAuth 2.0 or OpenID Connect login flow, with proper percent encoding and PKCE pairs generated through the Web Crypto API. Provider presets fill the authorization endpoint and a sensible default scope for Google, Microsoft Entra ID v2, GitHub, GitLab, Auth0, Okta, Slack, Discord, Spotify, LinkedIn, Twitch, Facebook, and Sign in with Apple, while a Custom preset works with any other identity provider. Pick a response_type (code, token, id_token, hybrid combinations), set client_id and redirect_uri, select scopes via OIDC chips or free text, and the URL updates live. State and nonce values are generated for you and can be regenerated with one click. PKCE is on by default for code flows: a fresh 64-byte code_verifier is created and the SHA-256 challenge is derived locally, with copy buttons for both. Provider quirks are surfaced as parameters in the Custom panel (Google access_type, Microsoft response_mode, Discord prompt, Auth0 audience, Spotify show_dialog, Apple form_post) and a Parse mode decomposes any existing authorization URL into the same fields so the page doubles as an inspector. Validation flags the common mistakes: missing client_id or redirect_uri, http for non-localhost redirects, missing nonce for id_token responses, missing PKCE for public clients, empty scope for OIDC, and conflicts between the builtin fields and custom parameters. Nothing leaves the browser; no credentials, secrets, codes, or URLs are sent to a server.
Free to use. Works in your browser. No signup, no login.
Related tools
You may also like
JWT Decoder
Decode header, payload, and claims of a JWT with expiry checks.
Open tool
DeveloperJWT Generator
Sign HS256, HS384, and HS512 JWTs with editable claims and expiry helpers.
Open tool
DeveloperPKCE Generator
Generate a PKCE code verifier, S256 or plain challenge, state, and nonce.
Open tool
DeveloperAuthorization Header Generator
Build Basic, Bearer, and custom Authorization headers with copy-paste request snippets.
Open tool
DeveloperURL Parser
Break a URL into protocol, host, path, query params, and fragment with decoded values.
Open tool
DeveloperURL Encoder Decoder
Encode and decode percent-encoded URLs.
Open tool