Free PKCE Code Verifier & Challenge Generator
Generate a spec-compliant PKCE pair · a random code_verifier and its SHA-256 code_challenge · for testing OAuth 2.0 authorization-code flows.
Frequently asked
What is PKCE and when do I need it?
PKCE (RFC 7636) protects the OAuth authorization-code flow against code interception. It's mandatory for public clients like SPAs and mobile apps · and recommended for every client in OAuth 2.1.
Why S256 instead of plain?
With plain, the challenge equals the verifier, so anything that can read the authorization request can replay it. S256 sends only the SHA-256 hash · the verifier itself never appears until the token exchange.
Run a full security scan →