Can I use this exact page as my OAuth redirect URI?

Yes. Register https://toolshub.online/developer/oauth-callback-tester as your redirect URI, complete the provider login flow, and you will land here with callback parameters captured in a readable table for debugging.

Are callback tokens uploaded to a backend or analytics service?

No. The parser and JWT preview run entirely client-side, values are rendered as plain text only, and optional capture history stays in your browser localStorage unless you manually copy data out.

Why are fragment tokens safer for browser-only testing?

OAuth responses returned in the URL fragment are not sent to servers during navigation, so this tool can inspect access_token or id_token values directly in your browser while keeping fragment contents out of server logs.

Why should I clear callback parameters after inspecting them?

Clearing parameters prevents accidental reuse and keeps sensitive codes or tokens out of copied links, browser history snippets, and screenshots. This tool can strip both query and fragment values from the address bar after capture so refreshes do not duplicate history items.

Can this replace my backend OAuth callback endpoint in production?

No. It is a diagnostic redirect target for testing flows and validating provider responses. Production apps still need a secure backend callback that exchanges authorization codes safely, stores secrets, and enforces session and CSRF protections.

How does the built-in URL builder help during provider setup?

It assembles authorize URLs with client_id, scope, response_type, redirect_uri, and optional PKCE/state values so you can avoid manual encoding mistakes. Copying the generated URL makes it easier to reproduce callback tests across environments.

OAuth Callback / Redirect URI Tester

Use this page as your real redirect_uri to capture code or token params, decode JWT claims, and generate PKCE values without sending secrets anywhere.

Updated June 2026

Files never leave your browser

OAuth callback capture

This page can be your redirect_uri. Query and fragment values are rendered as text only and stay in your browser unless you copy them.

Fragment tokens (after #) are handled client-side and never sent to a server by browser design.

Capture history (local only)

No captures saved yet.

PKCE + state helper

Use state to prevent CSRF. Send code_verifier in your token exchange request and code_challenge in the authorize URL.

State

code_verifier

code_challenge (S256)

Authorization URL builder

Authorize endpoint

client_id

scope

response_type

redirect_uri: https://toolshub.online/developer/oauth-callback-tester

Authorization URL

How to use OAuth Callback / Redirect URI Tester

OAuth Callback Tester turns this page into a practical redirect_uri you can register in OAuth apps for local and production debugging. After a provider redirects back, it parses both query and hash parameters, surfaces standard fields like code, state, access_token, and id_token, and safely renders extra parameters as plain text. It also decodes JWT headers and payloads inline, highlights expired exp claims, stores up to ten captures in localStorage, and helps you generate PKCE verifier/challenge pairs with Web Crypto so you can validate full authorization code or implicit/hybrid flows without shipping temporary backend endpoints.

Register https://toolshub.online/developer/oauth-callback-tester in your OAuth app as an allowed redirect URI.
Run your authorization flow and complete login so the provider redirects back to this page.
Review captured parameters in the table and inspect any decoded JWT header/payload blocks.
Use Generate state + PKCE to create verifier/challenge values and copy them into your app config.
Optionally build a new authorize URL, copy it, and clear callback params from the address bar when done.

Your data never leaves your device — 100% private processing.

Security boundaries when testing OAuth callbacks

This tool is designed for browser-side debugging, not secret handling. Never paste production client_secrets, signing keys, or long-lived refresh tokens into test pages. OAuth callback values should be treated as sensitive because authorization codes and bearer tokens can grant account access. The widget intentionally renders values as plain text with no HTML execution and lets you clear URL params after capture, which reduces accidental leaks in screenshots and copied links. Keep testing accounts isolated, rotate test credentials often, and prefer short token lifetimes while validating redirect behavior.

Why fragment tokens stay client-side and how that helps

OAuth providers that return tokens in the URL fragment place them after the # symbol, and browsers do not send that fragment to servers during navigation requests. That means access_token or id_token values in fragments can be inspected directly in JavaScript without appearing in backend access logs by default. This tool parses both search and hash values so you can test authorization code, implicit, and hybrid callbacks consistently. You still need careful local handling—avoid sharing full URLs, clear parameters after capture, and remember copied token values can be exposed outside the browser if pasted into chat or tickets.

Worked examples

Auth code callback capture

Inputs: search: ?code=SplxlOBeZQQYbYS6WxSbIA&state=abc123

Result: Table shows code/state and saves one local capture entry

Implicit flow fragment capture

Inputs: hash: #access_token=eyJ...&token_type=Bearer

Result: Token is displayed, JWT decoded, and fragment can be cleared safely

PKCE generation for mobile app

Inputs: Generate state + PKCE button in helper section

Result: Produces state, code_verifier, and S256 code_challenge copy-ready values

Glossary

redirect_uri: The exact callback URL registered with an OAuth provider where authorization responses are sent.
state: A cryptographically random value used to prevent CSRF by binding callback responses to the original auth request.
PKCE: Proof Key for Code Exchange; an OAuth extension that binds authorization codes to a client-generated verifier.
code_challenge: A transformed representation of code_verifier (typically S256 hash) sent during authorization.
id_token: A JWT returned by OpenID Connect containing identity claims about the authenticated user.

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use OAuth Callback / Redirect URI Tester?

Capture OAuth callback parameters from both query strings and URL fragments in one place
Decode JWT-shaped values inline and quickly spot expired exp claims
Generate cryptographically random state, code_verifier, and S256 code_challenge values
Build a ready-to-copy authorization URL that points back to this tool as redirect_uri

Common use cases

Debug OAuth redirect mismatches when providers reject a callback URL or state value
Inspect access_token and id_token responses during implicit or hybrid flow testing
Validate PKCE implementation before wiring token exchange logic into an app
Share reproducible callback captures with teammates without exposing server logs

Related Developer Tools

JWT Decoder

Decode and inspect JSON Web Tokens (JWT) online. View header, payload, and expiry. 100% client-side — your token never leaves your browser.

Webhook Signature Verifier

Verify Stripe, GitHub, Shopify, Slack, and generic HMAC webhook signatures with timestamp tolerance checks entirely in your browser.

TOTP / 2FA Code Generator

Generate time-based one-time passwords (TOTP) from a secret key online. Compatible with Google Authenticator and 2FA. Free, private TOTP generator.

JSON Formatter & Validator

Format, validate, and minify JSON instantly. Includes syntax highlighting, error detection, and a collapsible tree view — free, private, in-browser.

Regex Tester

Test and debug regular expressions online. See live matches, capture groups, and replace output. Free, private, instant.

Base64 Encoder & Decoder

Encode text or files to Base64, or decode Base64 strings back to text. Fast, free, and runs entirely in your browser.

Explore all Developer Tools.