Request Builder

POST /auth/authorize

Strict URI validation is OFF - any URI may be accepted

No state parameter - vulnerable to CSRF

PKCE

PKCE is required - request will fail without code_challenge

POST /auth/token

Last code:

Last verifier:

GET /api/data

Use last token:

Token's audience:

Security Evaluation Matrix

Response

ms

No Response Yet

Configure and send a request to see the response here.

Response Body


          


          
          

            

              
Access Token

              
            

            

          


          
          

            

              Decoded Access Token
              
            


            

              

                Header
                

              

              

                Payload
                

              


              
              

                
Token Analysis

                

                  
                

              

            

          


          
          

            

              Security Evaluation
              
            


            
            

              

                
                  
                
                Failed Controls ()
              

              
            


            
            

              

                
                  
                
                Passed Controls ()
              

              
            

          

        

      

    


    
    

      

        
Compare: Secure Config

        

          
            
          
        

      


      

        

          
When Compare Mode is on, the same request will be sent with a secure configuration to show the difference.

        


        

          

            
Response (Secure Config)

            

          


          

            
              
            
            

              Would be blocked by: