PKCE Code Verifier & Challenge Generator

Verifier bytes

Challenge method

Generated locally in your browser with the Web Crypto API — the verifier and challenge never leave your browser. The verifier is base64url-encoded random bytes; the S256 challenge is BASE64URL(SHA-256(verifier)).

Throwaway PKCE pairs for OAuth 2.0 and OIDC flows

PKCE (Proof Key for Code Exchange, RFC 7636) hardens the Authorization Code flow for SPAs, mobile apps, and CLIs. The code_verifier is a high-entropy random string from the unreserved set A-Z a-z 0-9 - . _ ~, 43 to 128 characters long. The code_challenge is sent on the /authorize request and, with S256, equals BASE64URL-WITHOUT-PADDING(SHA-256(ASCII(code_verifier))); with plain it is the verifier itself.

Paste a pair into an /authorize request, a Postman call, or an integration test, then replay the verifier on the token exchange. These are throwaway fixtures — use a fresh pair per real authorization request.