JR Trove
Free · Browser-only · No signup

OAuth State + PKCE Generator

Generate cryptographically random values for OAuth 2.0 / OIDC flows — state (CSRF), nonce (ID token replay), code_verifier + code_challenge (PKCE). Web Crypto.

Leaderboard 728×90 • Ad slot
OAuth 2.0 / OIDC values

Cryptographically random state, nonce, and PKCE verifier + challenge. All generated via Web Crypto in your browser — never sent anywhere.

state
Random string included in authorization request. Verified on callback to prevent CSRF.
nonce
OIDC: prevents ID token replay. Goes in authorization request, then verified in the returned ID token.
code_verifier (PKCE)
Random secret kept on client. Sent to token endpoint to prove this client started the flow.
code_challenge (PKCE, S256)
SHA-256 of code_verifier (base64url). Sent in authorization request as code_challenge with code_challenge_method=S256.
Runs locally: all values generated via crypto.getRandomValues() and crypto.subtle.digest(). Nothing sent over the network. Safe to use for real OAuth flows — just store the values securely (state + nonce + verifier in sessionStorage, never in URL or localStorage).
Medium Rectangle 336×280 • Ad slot
Inside the tool

What powers the OAuth State + PKCE Generator

state — 32 random bytes base64url

nonce — 32 random bytes base64url

code_verifier — 32 random bytes base64url

code_challenge — SHA-256(verifier) (S256)

All via Web Crypto API

Built differently

Why the OAuth State + PKCE Generator is different

Browser-native

The OAuth State + PKCE Generator runs entirely in your browser. Input is processed locally — never uploaded, never logged, never cached anywhere outside your device.

No artificial limits

No daily quotas, no character ceilings, no "upgrade for more" walls. Every feature is the complete feature — the same on the first use as the thousandth.

Production-grade quality

Built to the same engineering bar as paid SaaS tools — accurate algorithms, audited logic, responsive design and accessibility-tested interactions.

Use Contexts

Common use contexts

  • OAuth 2.0 client implementation
  • OIDC integration
  • PKCE flow setup for SPAs
  • Manual auth flow testing
Privacy by design

Private and secure

Zero upload

All processing happens in your browser. Input is never transmitted, logged or cached.

Works offline

Once the page loads, the tool runs without an internet connection. No network calls happen during use.

No tracking

No accounts, no cookies for tool state. Only aggregate analytics count visits at the page level.

Leaderboard 728×90 • Ad slot
FAQ

OAuth State + PKCE Generator questions

Yes — Web Crypto API, generated values never leave your device. Store state/nonce/verifier in sessionStorage during flow.
All toolsAbout JR Trove