ToolBelt

OAuth URL Builder

Build OAuth 2 authorization URLs.

Open tool

Overview

The OAuth URL builder assembles a complete OAuth 2.0 authorization request URL from its component parts: authorization endpoint, client ID, redirect URI, response type, scope, state, and optional PKCE code challenge. Pick the values, and the builder URL-encodes everything correctly and outputs a single link you can paste into a browser to start the flow.

Developers integrating with Google, GitHub, Microsoft, or any other OAuth 2 provider, and security teams reviewing the exact authorization request a client is sending, all need a reliable OAuth URL composer. Long-tail keywords covered: build OAuth 2 authorization URL online, generate PKCE code challenge, and OAuth state parameter best practice.

How it works

OAuth 2.0 (RFC 6749) defines several grant types. The Authorization Code grant — the only one currently considered safe for both web and native apps when paired with PKCE — starts with a redirect to the provider's authorization endpoint carrying response_type=code, client_id, redirect_uri, scope, and state. PKCE (RFC 7636) adds code_challenge and code_challenge_method=S256 to bind the upcoming token exchange to the original request.

After the user authenticates, the provider redirects back to your redirect_uri with code=<value>&state=<same-as-sent>. Your server then exchanges the code (and the matching PKCE code_verifier) for tokens via a separate POST to the token endpoint.

Examples

  • Google sign-in: https://accounts.google.com/o/oauth2/v2/auth?client_id=...&response_type=code&scope=openid%20email&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb&state=xyz.
  • GitHub OAuth: https://github.com/login/oauth/authorize?client_id=...&scope=repo%20user&redirect_uri=...&state=....
  • With PKCE: add code_challenge=<base64url-sha256-of-verifier>&code_challenge_method=S256.
  • Force re-consent on Google: append prompt=consent to skip the cached approval.

FAQ

Why is the state parameter required?

It is a CSRF defence: the client generates a random value, includes it in the request, and verifies the same value comes back. Without it, an attacker can stage a victim's browser to complete a flow for the attacker's account.

Do I need PKCE for a server-side web app?

Modern best practice is yes, even for confidential clients. The OAuth 2.1 working draft makes it mandatory across the board.

Should the redirect_uri be exact?

Yes. Providers match it against the registered URI byte-for-byte (or with strict subset rules). A trailing slash mismatch is a common cause of "invalid redirect_uri" errors.

What is the difference between Authorization Code and Implicit grant?

Implicit returns the access token directly in the URL fragment. It is considered legacy and insecure (token leakage in browser history, referer headers). Always use Authorization Code + PKCE instead.

Try OAuth URL Builder

An unhandled error has occurred. Reload ×