OIDC and OAuth flow demos

Pick a flow below to build a login link by hand and watch the raw HTTP traffic, or use one of the tools to inspect tokens and URLs.

Flows

Implicit flow (fragment)

Tokens are returned in the URL fragment. Deprecated, kept here to show why.

Try it

Implicit flow (form post)

Same flow, but the tokens are posted back to the app instead of appearing in the URL.

Try it

Authorization code flow

The standard flow: get a code, then exchange it for tokens on the back channel.

Try it

Authorization code flow + PKCE

The recommended flow for public clients, adding a code verifier and challenge.

Try it

Client credentials flow

Machine-to-machine access with just a client id and secret, no user involved.

Try it

Refresh tokens

Get a refresh token with offline_access, then use it to silently get new access tokens.

Try it

Tools

Use an access token

Paste any access token and call the userinfo or time API endpoint with it.

Open

URL query visualizer

Paste a redirect URL and see its query string and fragment parameters broken out.

Open

Back-channel log

See every server-to-server HTTP call this app has made, request and response.

Open