Proof Key for Code Exchange — a browser-safe flow with no client secret. Watch every raw HTTP call and cryptographic step.
Enter your OIDC provider details. Values are saved to sessionStorage and update all displays live.
Generates a cryptographically random code_verifier (32 random bytes as hex), then computes the code_challenge as SHA-256(code_verifier) base64url-encoded.
// Click Generate Keys to run window.crypto.subtle.digest('SHA-256', ...)
The browser is redirected to the IdP's authorization endpoint with the PKCE code_challenge. The IdP authenticates the user and redirects back with an authorization code.
// Fill in config above to preview the Authorization URL
After the user authenticates, the IdP redirects back to the redirect_uri with a short-lived code in the query string.
// Awaiting redirect from IdP…
The browser POSTs directly to the token endpoint sending the code and code_verifier. The IdP verifies that SHA-256(verifier) == original challenge, then returns tokens.
// Waiting for step 3…
IdP Token Response
// Awaiting token exchange…
The id_token is a signed JWT. Its three parts (header, payload, signature) are base64url-encoded and dot-separated. The payload contains the user's identity claims.