DevToolbox

OAuth 2.0 Flow Visualizer

Visualize OAuth 2.0 authorization flows with step-by-step interactive diagrams. Explore Authorization Code, PKCE, Client Credentials, and more.

About This Tool

The OAuth 2.0 Flow Visualizer is a free browser-based tool that renders interactive sequence diagrams for every major OAuth 2.0 authorization flow. Whether you are implementing authentication for a web application, mobile app, CLI tool, or server-to-server integration, understanding the exact sequence of HTTP requests, redirects, and token exchanges is essential to getting it right and keeping it secure.

Select a flow type and the tool instantly draws a color-coded sequence diagram showing every actor involved — the Client, Authorization Server, Resource Server, and the end User. Click any step in the diagram to expand its details: the HTTP method, endpoint, required parameters, headers, and a full example request or response. Blue arrows represent outgoing requests, green dashed arrows represent responses, so you can trace the data flow at a glance.

The tool covers all standard grant types defined in RFC 6749 and its extensions: Authorization Code (the most widely used server-side flow), Authorization Code + PKCE (the recommended flow for public clients such as SPAs and mobile apps, and the default in OAuth 2.1), Client Credentials (for machine-to-machine communication), Device Code (RFC 8628, for input-constrained devices like smart TVs and CLI tools), and the now-deprecated Implicit and Resource Owner Password flows — included for educational purposes along with clear warnings about why they should not be used in new applications. If you work with JWTs issued by these flows, our JWT Decoder lets you inspect token headers and payloads. For testing the actual HTTP requests described in each step, try the cURL to Code converter to quickly generate runnable code snippets. You can also analyze response headers with the HTTP Header Analyzer.

A built-in PKCE generator lets you create a cryptographically secure code_verifier and its SHA-256 code_challenge right in the browser. The parameter reference panel explains every OAuth 2.0 parameter — client_id, redirect_uri, scope, state, code_verifier, and more — so you always know what to send and why.

Security notes accompany each flow, highlighting best practices such as using HTTPS everywhere, validating the state parameter to prevent CSRF, and rotating refresh tokens. All processing happens entirely in your browser — no data is sent to any server, making the tool safe for exploring real client credentials and configurations.

How to Use

  1. Select an OAuth 2.0 Flow from the dropdown at the top (e.g., Authorization Code, PKCE, Client Credentials).
  2. Review the flow description and security notes to understand when and why to use the selected flow.
  3. Examine the sequence diagram — blue arrows are requests, green dashed arrows are responses. Each actor (Client, Auth Server, Resource Server, User) is labeled with a color-coded header.
  4. Click any step in the diagram to expand its details: HTTP method, endpoint, parameters, headers, and example request/response.
  5. Use the Copy button (or press Ctrl+Shift+C) to copy the selected step's example request or response to your clipboard.
  6. Click Parameters to toggle the reference panel, which explains every OAuth 2.0 parameter.
  7. For the PKCE flow, click Generate PKCE to create a demo code_verifier and code_challenge pair. Copy either value to use in your own implementation.

Popular OAuth 2.0 Flow Examples

View all OAuth 2.0 flow examples →

FAQ

What is OAuth 2.0?

OAuth 2.0 is an authorization framework (RFC 6749) that enables third-party applications to obtain limited access to a web service on behalf of a user, without exposing the user's credentials. It defines several 'grant types' (flows) for different scenarios such as web apps, mobile apps, CLIs, and machine-to-machine communication.

Which OAuth 2.0 flow should I use?

For web applications with a backend server, use Authorization Code. For single-page apps (SPAs) and mobile apps, use Authorization Code + PKCE. For server-to-server (M2M) communication with no user involved, use Client Credentials. For devices with limited input (smart TVs, CLIs), use Device Code. Avoid the Implicit and Resource Owner Password flows — they are deprecated in OAuth 2.1.

What is PKCE and why is it important?

PKCE (Proof Key for Code Exchange, RFC 7636) is an extension to the Authorization Code flow that prevents authorization code interception attacks. The client generates a random code_verifier, derives a code_challenge using SHA-256, and sends the challenge in the authorization request. During the token exchange, the original verifier is sent for proof. PKCE is now recommended for all OAuth 2.0 clients, not just public ones.

Why are the Implicit and Resource Owner Password flows deprecated?

The Implicit flow exposes access tokens directly in the URL fragment, making them vulnerable to interception via browser history, referrer headers, and open redirectors. The Resource Owner Password flow requires the client to handle user credentials directly, which bypasses the core security benefit of OAuth — delegated authorization. OAuth 2.1 removes both grant types entirely. Use Authorization Code + PKCE instead.

Can I use this tool with my real client credentials?

Yes. All processing runs entirely in your browser. No data is ever sent to any server. The tool does not make any actual OAuth requests — it only displays reference diagrams and examples. That said, never paste real client_secret values into any web tool unless you trust it completely.

Is my data safe?

Yes. All visualizations and PKCE generation happen entirely in your browser using JavaScript and the Web Crypto API. No data is sent to any server. You can verify this by checking the Network tab in your browser's developer tools while using the tool.

Does this tool actually make OAuth requests?

No. The OAuth 2.0 Flow Visualizer is purely educational. It displays reference diagrams, example HTTP requests, and parameter documentation. It does not communicate with any authorization server or API. The PKCE generator creates cryptographically secure values locally in your browser for demonstration and testing purposes.

Related Tools

JWT Decoder

Decode JSON Web Tokens to inspect header, payload, and verify signatures.

HTTP Header Analyzer

Fetch and analyze HTTP response headers for any URL. Check security headers, caching, CORS, and more.

Curl to Code Converter

Convert curl commands to Python, JavaScript fetch, PHP, Go, and more programming languages.

HTTP Status Codes

Browse, search, and learn about all HTTP status codes with detailed explanations.

CSP Header Generator

Build Content Security Policy headers visually with directive presets and real-time policy output.

HTTP Method Reference

Interactive HTTP method reference with detailed specs for GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS, and more.