OAuth Token Request Generator
Build cURL and raw HTTP requests for OAuth 2.0 token flows with optional PKCE.
Written by Golam Rabbani, Founder & Lead Engineer
How to use this oauth token request generator
- Pick a flow: client_credentials, password, authorization_code, refresh_token, or "authorize URL with PKCE".
- Enter the token URL (or authorize URL for PKCE) plus your client_id and any credentials the flow needs.
- For client_credentials, choose between HTTP Basic auth and sending client_id/client_secret in the body.
- For PKCE, the tool generates a fresh code_verifier and SHA-256 code_challenge for you.
- Click Generate to get a ready-to-run cURL command and a raw HTTP request, then Copy cURL into your terminal.
About this oauth token request generator
The OAuth token generator builds a working `POST /token` request — or a PKCE authorize URL — for every common OAuth 2.0 flow defined in RFC 6749 and RFC 7636. The output is two views: a ready-to-paste cURL command and the raw HTTP request it represents, so you can use whichever fits your debugging step.
For client_credentials you choose how the client authenticates — HTTP Basic (the spec-recommended default) or body parameters (`client_id`/`client_secret`). For PKCE the tool uses `crypto.getRandomValues()` to generate 32 random bytes, base64url-encodes them as the `code_verifier`, then SHA-256s and base64url-encodes the result as the `code_challenge` with `code_challenge_method=S256`. All four common grants — client_credentials, password, authorization_code, refresh_token — produce the right `grant_type` and parameter set.
As a worked example, a client_credentials flow against `https://auth.example.com/oauth/token` with client_id `abc123`, client_secret `s3cr3t`, scope `read write`, and HTTP Basic auth generates:
curl -X POST "https://auth.example.com/oauth/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Authorization: Basic YWJjMTIzOnMzY3IzdA==" \ -d "grant_type=client_credentials&scope=read%20write"
Everything is generated locally — your client_id, secrets, codes, and refresh tokens are never sent to any server by this tool.
FAQ
- Which OAuth 2.0 flow should I pick?
- client_credentials for service-to-service (no human user); authorization_code (with PKCE) for web/mobile apps acting on behalf of a user; refresh_token to swap an expired access token for a new one without re-prompting; password flow only when nothing else is available — it has been formally retired in OAuth 2.1.
- What is PKCE and why is the tool generating a code_verifier for me?
- PKCE (RFC 7636) protects authorization-code flows from interception attacks by sending a hashed `code_challenge` on the authorize request and the matching plain `code_verifier` on the token request. Modern providers require it for public clients. The tool fills in a cryptographically random 43-character verifier and its SHA-256 challenge.
- Is HTTP Basic or body auth better for client_credentials?
- HTTP Basic is the RFC-recommended default and what most providers prefer. Some specific providers (Okta, Auth0) accept both; a handful of older or proprietary systems require body params. If both work, pick Basic — it keeps the secret out of the body when you log requests.
- Are my client_id and client_secret sent anywhere?
- No — the tool only builds the request text on your device. The cURL command is meant to be pasted into your own terminal, which is where the credentials actually leave your machine. Nothing about your inputs is logged or transmitted by this site.
- How do I save the PKCE code_verifier for later?
- When you pick "authorize URL with PKCE", the tool prints both the authorize URL and the code_verifier in the result panel. Copy and store the verifier securely — you must send it back on the subsequent `/token` request with `code_verifier=...`. If you lose it, restart the flow.
- Is this OAuth token generator free to use?
- Yes, it is completely free with no account, no signup, and no usage limits.