Skip to main content
Back to Dev generators

Dev

Mock OAuth2 Flow Data Generator

Writing OAuth2 test fixtures by hand means second-guessing field names, token formats, and grant-type differences every time. This generator produces complete, spec-compliant request and response payloads for all four major OAuth2 grant types: authorization code, client credentials, refresh token, and implicit. Each sample includes correctly named fields — grant_type, code_verifier, scope, expires_in, issued_at — and randomly generated access tokens, client IDs, and refresh tokens that look exactly like real ones. The flow dropdown controls which grant type you get. Authorization code produces a full PKCE-compatible sample with a code_verifier, a redirect_uri, and a token response including a refresh token. Client credentials skips user-delegated fields and returns only the machine-to-machine payload. Refresh token gives you a request body with a refresh_token and a response with a new access token. Implicit drops the code exchange entirely and returns the token in a URL fragment object. The count input sets how many distinct samples to generate, from 1 to 10. A practical workflow: generate three authorization-code samples, paste them as a Jest fixture array, and assert that your token-storage middleware reads access_token, respects expires_in, and persists the refresh_token. Switch to refresh-token flow to test the expiry-and-retry path. Because each run produces fresh random values, you avoid false positives from hardcoded string comparisons.

Read the complete guide — 4 min read

How to use

  1. Choose your options above
  2. Click Generate
  3. Copy your result

Detailed instructions

  1. Select your target grant type from the OAuth2 Flow dropdown: authorization code, client credentials, refresh token, or implicit.
  2. Set the Number of Samples to how many distinct payloads you need — use 3 to 5 for documentation, more for seeding large test fixtures.
  3. Click Generate to produce complete, structured request and response payloads for the chosen flow.
  4. Copy individual samples directly into your test file, Postman collection, or mock server stub as needed.

Use Cases

  • Seeding Postman collections with realistic OAuth2 token response fixtures for all four grant types
  • Unit testing JWT parsing logic in Node.js or Python against plausible access token strings
  • Populating WireMock or Mockoon stubs with RFC-6749-compliant token response payloads
  • Writing API reference docs with concrete token exchange examples instead of placeholder text
  • Testing refresh token handler logic with correctly structured request and response bodies

Tips

  • Generate authorization code samples alongside client credentials samples to test that your code handles both user-delegated and machine tokens correctly.
  • Set count to 10 or more when seeding database fixtures — having varied token strings prevents false positives caused by duplicate-detection logic in your tests.
  • Use the refresh token flow samples specifically to test your token expiry and retry middleware: plug the mock expired access token into a request and verify the refresh path fires.
  • Compare the implicit flow output with the authorization code output side by side when teaching — the absence of a refresh token in implicit is immediately obvious and sparks useful discussion.
  • When using generated payloads with WireMock, set expires_in to a high value like 3600 so your client's expiry checks do not trigger unexpectedly during a test run.
  • Regenerate samples for each test run rather than committing a single static fixture — this catches bugs where your parser hardcodes expected token values instead of parsing them dynamically.

FAQ

how do I test OAuth2 token refresh logic without a live auth server

Select the Refresh Token flow, generate a few samples, and paste the request payload directly into your refresh handler. Each sample includes both the structured request body and a matching token response with a new access token, so you can assert your code stores and applies the updated token correctly.

are generated OAuth2 tokens safe to commit to a test repo

Yes. Every token, client ID, and secret produced here is randomly generated and has no connection to any real authorization server. They are safe to commit to test fixtures, documentation repos, or example code — just never use them in production configuration files.

what is the difference between authorization code and client credentials flow

Authorization Code is used when a human user logs in — the app exchanges an authorization code for tokens on the user's behalf. Client Credentials skips the user entirely and is designed for machine-to-machine calls where a service authenticates directly with its own client ID and secret.

does the authorization code sample include PKCE fields

Yes. The authorization code sample includes a code_verifier field (a 43-character random base64url string), which is required for PKCE flows. The implicit flow sample does not include a code_verifier or refresh token, mirroring the actual differences between these grant types.

You might also like

Popular tools from other categories that share themes with this one.

Try these next

More free tools from other corners of the catalog, picked by shared themes.